Using Management Center for Cisco Security Agents 6.0 - Event Logging and Alerts [Cisco Security Agent]

Table Of Contents

Event Logging and Alerts

Overview

The Event Log

Filtering Events

Filtering Events by Event Set

Filtering Events by Defining a Custom Filter

Event Aggregation and Suppression

Graphing Similar Events

Graphing Similar Events by Time

Graphing Similar Events by Differences

Reading Event Details

Reading Packet Details

Event Monitor

Event Analysis

Viewing Events Using the Event Analysis Filter

Configuring An Event Analysis Filter

Event Managing Tasks

Local Event Log File

Configuring Allowed Number of Securitylog.txt Files

How Logging Works

Verbose Logging

Logging and Query User Rules

About the Event Management Wizard

Creating Exception Rules

Creating Allow Exception Rules

Creating Logging Exception Rules

Configuring Exceptions

Editing Exceptions

Enabling, Disabling, and Deleting Exceptions

Moving and Copying Exceptions

Perform an Application Behavior Investigation

Suppressing Similar Events

Viewing Event Suppression Filters

Purge Similar Events

Event Sets

Third Party Access to Events

Configuring Alerts

Generate an Alert Log File for Third Party Applications

Event Logging and Alerts

Overview

Events and messages logged by Cisco Security Agents can be viewed from CSA MC. You can also control the type of alert sent out based on the severity level of the logged event, the specific event, and the host that generated the alert. You can configure CSA MC to send email, issue SNMP traps, log to a text file, and execute custom programs.

Note Cisco Security Agent events are also stored in the NT event log on an agent system in a localized format.

This section contains the following topics.

•The Event Log

–Filtering Events

–Event Aggregation and Suppression

–Graphing Similar Events

–Reading Event Details

–Reading Packet Details

•Event Monitor

•Event Analysis

•Event Managing Tasks

•Local Event Log File

•How Logging Works

–Verbose Logging

–Logging and Query User Rules

•About the Event Management Wizard

–Creating Exception Rules

–Creating Logging Exception Rules

–Perform an Application Behavior Investigation

–Suppressing Similar Events

–Purge Similar Events

•Event Sets

•Third Party Access to Events

•Configuring Alerts

–Generate an Alert Log File for Third Party Applications

The Event Log

The Event Log view lets you view system events provided by registered agents according to designated time frames, event severity levels, and the system that generated the event. To reach the Event Log screen, begin at the CSA MC menu bar and navigate Events > Event Log.

Figure 10-1 Event Log Screen

The event log screen (see Figure 10-1) displays event messages within the time frame and severity level you specify and optionally by a specific host. These event messages explain the event that occurred and they provide a link to the rule that triggered the event. They also provides the exact time the event was recorded and a link to the registered host view for the host that generated the event.

Some Event Log messages contain a Details link you can click to view more information about the event that generated the message. (The details contained here can be useful to customer support.) Read Reading Event Details , for more information. The Details link also provides packet information when appropriate. By installing Wireshark (http://www.wireshark.org) on the same server in which CSA MC is installed, you will be able to read the contents of a packet in a human-readable form rather than in hexadecimal notation. Read Reading Packet Details for more information.

Log messages also contain a Rule number link. Clicking a Rule number link takes you to the rule that was triggered when the message in question logged.

Use the Wizard link, where available, to edit the rule that caused the event. See About the Event Management Wizard for details.

A System State link appears with an event when the rule in question has triggered due to a system state condition. (Note that it is not always advisable to generate a wizard exception based on an event that is appearing due to a system state condition triggering. Rather, if you intend to configure an exception, you should create it for the original rule that caused the system state to apply.) Use the pop-up that appears when you click System State from an event to trace back to the original rule (if available) that triggered the system state condition.

Use the Find link to open the Find Similar Events dialog box and search for messages similar to the one displayed in the Event log. Use the Graph link to display similar events graphically.

The information displayed on the Event Log page is controlled by the settings defined in the Change Filter window. The Change Filter window allows you to sort information by event set or by defining a custom filter. The way the events are filtered is presented at the top of the Event Log page.

Figure 10-2 Event Log Filter Summary

The event log filter summary provides this information depending on the settings in the event filter.

•Event log generation time: This is the timestamp of the moment the filter was applied and a list of events displayed.

•Event set: This indicates the name of the Event Set, if any, used to filter the event log view.

•Time range: This indicates the start date and end date used to filter the event log view.

•Severity: This is the current minimum and maximum severity range set for the event log filter.

•Host: This indicates the name of the host used to filter the event log view.

•Policy: This displays the name of the policy used to filter the event log view.

•Security Service: This displays the name of the security service used to filter the event log view.

•Rule ID: This displays the rule number used to filter the event log view.

•Events per page: This defines how many events are displayed on each page of the event log.

•Filter text: This displays the text string included or excluded from the event log filter.

•Filter out similar events: When event filtering is enabled (it's enabled by default), the event log displays an aggregation of events. This aggregation means that one representative event is displayed for all events that are considered similar on the MC. Similar events are defined as having the same rule ID and the same application name and path (excluding drive letter). When similar events are filtered from the event log view in this way, there is italicized text below the viewable representative event. This text displays the number of filtered events that are not visible. Clicking the Find link in the row of the event causes all events of this similar type to be displayed in a new event log window.

Note This event filtering feature is enabled by default. Accessible from the Change filter link at the top of the Event log page, you can change the Filter out similar events radio button to No to turn this feature off.

•Sort by: Indicates the list is sorted by the Order received or by Date.

Filtering Events

Events can be filtered either by event set or by defining a custom filter. Click the change filter link in the event log filter summary area to display the Filter Events dialog box.

Figure 10-3 Filter Events dialog box

Filtering Events by Event Set

An event set is a pre-defined set of search criteria. To learn more about event sets see "Event Sets" section.

Step 1 Click the change filter link in the event log filter summary area.

Step 2 In the Filter Events dialog, select an event set from the Filter by event set pull-down menu.

Step 3 Click View. The events are filtered by event set and the Event Log screen shows the results.

Filtering Events by Defining a Custom Filter

Searches defined by search criteria are "and" searches. That is, the more attributes you specify to search by, the fewer number of events are likely to be found by the search.

Step 1 Click the change filter link in the event log filter summary area.

Step 2 In the Filter Events dialog, select the Define filter: radio button. You can filter your events using any of these attributes:

•Start date and End date: To search events, click the Change Filter link to access a pop-up window from which you can enter search criteria such as Start and End Date time frames. You can refer to the following points for entering time frame information, but note that most reasonable time frames are recognized by CSA MC:

–You can specify a relative time using any of the following terms: tomorrow, yesterday, today, now, next, ago, year, month, week, day, hour, minute, and second.

–You can enter a specific time using any of the following time formats: hh:mm:ss. If no meridian (AM or PM) is specified, hh is interpreted on a 24 hour clock (0-23). Note that entering minutes and/or seconds is optional.

–You can enter a specific month and day with optional year in the formats: mm/dd/yy, monthname dd,yy. Specifying the year is optional. The default year is the current year.

•Minimum and Maximum Severity Settings: From the Minimum and Maximum Severity pulldown list, select a severity level from the following severities:

–Informational

–Notice

–Warning

–Error

–Alert

–Critical

–Emergency

•Host: You can filter the Event Log by host systems. All is the default here. All events generated by systems registered with the server are displayed. You can enter a specific host name to search for that host. Click the change link beside the Host field for a host selection box.

•Policy: In the "Advanced View" of the CSA MC, you can filter events based on what security policy the event triggered.

•Security Service: In the "Basic View" of the CSA MC, you can filter events based on what security service was triggered by the event.

•Rule ID: This field allows you to enter a specific rule number that you want to search for.

•Events per page: Enter the number of events per page you want to display up to a maximum of 500 events per page. The event log displays the most recent number of events based on the value you enter. You can page forward through links to view additional pages matching the query.

Note You can configure the CSA MC Event Log to display events from the agent system's NT Event Log. See NT Event Log, page 6-57.

•Filter text: Enter a text string to search for. Select Include to include events that contain the text string in your search, select Exclude to exclude events that contain the text string from your search results.

•Filter out similar events: When event filtering is enabled (it's enabled by default), the event log displays an aggregation of events. This aggregation means that one representative event is displayed for all events that are considered similar on the MC. Similar events are defined as having the same rule ID and the same application name and path (excluding drive letter). When similar events are filtered from the event log view in this way, there is italicized text below the viewable representative event. This text displays the number of filtered events that are not visible. Clicking the Find Similar link below the event causes all events of this similar type to be displayed in a new event log window.

Note This event filtering feature is enabled by default. Accessible from the Change filter link at the top of the Event log page, you can change the Filter out similar events radio button to No to turn this feature off.

•Sort by: You can sort the final list of events by Order received or by Date.

Step 3 Click View. The events are filtered by your search criteria and the Event Log screen shows the results.

Event Aggregation and Suppression

When first deploying rules to agents, it is not unusual to have an overwhelming flurry of events appearing in the event log. In some cases, most of these events are similar events or simply "noisy", not useful events to view. If this is the case, the event log provides two mechanisms for paring down the number of events that appear:

•Event Filtering (aggregation of events)

When event filtering is enabled, the event log displays an aggregation of events. This aggregation means that one representative event is displayed for all events that are considered similar on the MC. Similar events are defined as having the same rule ID and the same application name and path (excluding drive letter).

When similar events are filtered from the event log view in this way, there is italicized text below the viewable, representative event. This text displays the number of filtered events that are not visible. Clicking the Find link allows you to search for all events of this similar type. Clicking the Graph link allows you to graph similar events.

Figure 10-4 Event Log Find Similar

Note This event filtering feature is enabled by default. Accessible from the Change filter link at the top of the Event log page, you can select the "Filter out similar events" No radio button to turn this feature off.

A "similar" event meets the following criteria:

–Same event code type.

–Same rule ID.

–Same application name and path (excluding drive letter).

•Event Suppression

When event suppression is enabled, all chosen events are no longer displayed in the event log. Event suppression is best used when you have a reoccurring event that is more noisy than useful to you. This is something you are aware of, but no longer wish to see. Suppressing the event removes all viewable instances of that event and causes further events of the same type to be hidden. Note that these events remain in the database, they are simply not displayed. The visibility of the suppressed events is controlled by Administrator Preference settings. Refer to Configuring Role-Based Administration, page 2-14.

Note Event suppression can also be enabled through the Event Log Wizard. See About the Event Management Wizard. Clicking the Wizard link from the event you wish to suppress allows you to create a suppression filter for the event.

Graphing Similar Events

When using the advanced view of the CSA MC, administrators can graphically display similar events using the Graph link in the Event Log.

Events may be graphed to show when similar events occurred over time or they may be graphed to show a breakdown of the differences in aggregated events.

Events graphed by time are filtered via a set of criteria, counted per unit of time, and graphed versus time. For example, you could create a graph of Events vs. Time where each day is represented in a point and the value of the "y" axis is the number of events that occurred that day. This filtering is very similar to the Find option.

Events that have a host associated with them can be graphed in the format Hosts vs. Time. In this case the "y" axis value indicates the number of hosts that generated an event meeting the criteria during a day.

Differences in aggregated events are broken down and displayed in a bar chart. This could give you a visual image of how, for example, one application has been denied or allowed access to a variety of different files.

Each point on a graph, or line in a chart, is also a hyperlink. You can mouse over to see summary information about that data or you can click the data point, to display the events it represents.

Graphing Similar Events by Time

Step 1 From the Event Log window, select an event that you want to display graphically, and click the Graph link for the event.

Step 2 Click the Time link.

Step 3 In the Graphing Criteria dialog box, select the filtering criteria for your graph:

•Type refers to event type.

•Policy Rule indicates what rule was triggered for the event log entry.

•Application describes the application involved in the event.

•Host is the name of the host.

•Severity is the severity level of the event.

•Time Frame allows you to choose the span of time around the current date and time.

•Filtered text allows you to include or exclude events based on the presence of a text string in the even description.

Step 4 In the Graph Options area, select the kind of events to count per day and the time scale of the graph: hours, days, months, or years.

Step 5 Click Create Graph. The graph is displayed in a pop-up box.

After the graph has been created you will be able to change graph criteria, print the graph, and download the graphed data as a .csv (comma separated value) file by clicking for that task.

You will also be able to analyze a data point on the graph by clicking it. Mousing over a data point on the graph pops up summary information about the data point. Clicking on the data point will show you all the similar events that it represents.

Graphing Similar Events by Differences

Step 1 Log on to the CSA MC and switch to Advanced Mode.

Step 2 From the Event Log window, select an event that you want to display graphically, and click the Graph link for the event.

Step 3 Click the Differences link. The aspects of the event message that have been aggregated are outlined with a blue box.

Step 4 Click one ore more of the blue criteria fields in order to create the graph based on those criteria. When more than one criteria is selected, the graphing tool interprets that as an "and" request. Both the criteria must be present in the event for it to be graphed.

Step 5 Click Create Graph. The graph is displayed below the event.

Figure 10-5 Image of rule with highlighted box

Figure 10-5 shows how many different files MCSHIELD attempted to access on host Client221, and how often MCSHIELD attempted to access them.

Reading Event Details

To view the details of an Event Log entry, follow this procedure:

Step 1 Move the mouse over Events in the menu bar of CSA MC. Select Event Log from the drop-down list that appears. All events are displayed by default in the event log.

Step 2 Click the Details link for the event about which you want more information. The details of the event are displayed in a separate page.

Step 3 (Optional) If you want more information about an entry in the details, you can use the Google search engine to search the Internet. Do this in one of two ways:

•With your mouse, highlight the string of text, in the details page, about which you want more information. Then click the Google icon at the bottom of the details page. A new browser window opens with the results of the Google search.

•Drag the Google icon at the bottom of the details page over one of the fields in the details page. (Fields that are highlighted white can be searched by Google.) Release the mouse button. A new browser window opens with the results of the Google search.

Reading Packet Details

CSA MC provides a mechanism which allows you to use "Wireshark" software to translate packets into a readable format. Wireshark is a third-party tool that analyzes protocols and works with WinPcap to analyze packets. Before you can view packet information in readable form, you must first install Wireshark on the same server that runs CSA MC.

To install Wireshark, follow the installation instructions found at http://www.wireshark.org. Install the latest released version of Wireshark and the version of WinPcap recommended by Wireshark.

After you have installed Wireshark, you can read packet details by following this procedure:

Step 1 Move the mouse over Events in the menu bar of CSA MC. Select Event Log from the drop-down list that appears. All events are displayed by default in the event log.

Step 2 Click the Details link for the event about which you want more information. The details of the event are displayed in a separate page.

Step 3 Scroll down to the NetPacket details row to read a description of the contents of the packet that triggered the event.

Event Monitor

Similar to the Event Log, the Event Monitor, available from the Events category in the menu bar, lets you view system events provided by registered agents according to designated severity levels, and the host that generated the event. You can also enter the number of events to be displayed (default value is the last 50 events). Click the Change link to access a pop-up window from which you can edit these values and change the event filter. Refer back to The Event Log for more information on these fields.

Unlike the Event Log page, the Event Monitor page automatically refreshes itself at set intervals. The event list is updated with the latest events each time the page refreshes.

The footer of this page provides a Refresh button and a Pause button. Use the Refresh button to refresh the page immediately without waiting for the set refresh interval to occur. Use the Pause button to immediately stop the page from refreshing. The set refresh interval will then stop at wherever it is in the countdown. This pause feature is useful when you are testing policies and you want to mark a certain place as a starting point for receiving new events. When you click it, the Pause button becomes a Resume button.

Note The administrator inactivity timeout value is still in effect when you leave the Event Monitor screen displayed on your system. The automatic page refresh does not constitute activity.

The Event Monitor will continue to refresh even after the timeout expires. However, you will not be able to navigate to any other page. This allows you to leave the Event Monitor on screen without worrying about anyone being able to access CSA MC after the session timeout.

Event Analysis

The Event Analysis tool shows you the applications that are producing the most events and the hosts on which those applications are running.

Viewing Events Using the Event Analysis Filter

Step 1 Log on to the CSA MC with any level of user-privilege. This task can be performed in Simple Mode or Advanced Mode.

Step 2 Move the mouse over Events in the menu bar and select Event Analysis. The results of the Default Event Analysis Filter are displayed.

•The Most Active Applications table lists the paths to the applications that have reported the most Terminate and Deny events.

•Expanding the number in the Hosts column displays a table of Hosts that have reported the most events from the Most Active Application row.

•Clicking the number in the Events column opens the Event Log where the events reported by the Host and from the Most Active Application are listed with boldface type.

Configuring An Event Analysis Filter

Step 1 Log on to the CSA MC with any level of user-privilege. This task can be performed in Simple Mode or Advanced Mode.

Step 2 Move the mouse over Events in the menu bar and select Event Analysis. The results of the Default Event Analysis Filter are displayed.

Step 3 Click the change link next to the Default event analysis filter.

Step 4 At the bottom of the Event Analysis Filter page, click Clone.

Step 5 Define the event filter:

•Start date and End date: You can refer to the following points for entering time frame information, but note that most reasonable time frames are recognized by CSA MC:

–You can specify a relative time using any of the following terms: tomorrow, yesterday, today, now, next, ago, year, month, week, day, hour, minute, and second.

–You can enter a specific time using any of the following time formats: hh:mm:ss. If no meridian (AM or PM) is specified, hh is interpreted on a 24 hour clock (0-23). Note that entering minutes and/or seconds is optional.

–You can enter a specific month and day with optional year in the formats: mm/dd/yy, monthname dd,yy. Specifying the year is optional. The default year is the current year.

•Minimum and Maximum Severity Settings: From the Minimum and Maximum Severity pulldown list, select a range of severity levels for your filter.

•Host: Enter the name of a host in the Host field or click the change link to specify a host or a group of hosts.

•Policy: Click the policy box to select a specific policy on which you want to filter.

•Rule ID: Enter a specific rule number that you want to search for.

•Rule action: Click the change link to specify the kind of action you are searching for. For example, Terminate, Deny, or Allow.

•Filter text: Enter a text string to search for. Select Include to include events that contain the text string in your search, select Exclude to exclude events that contain the text string from your search results.

•Group by: Choose to group the events by Application or Host.

•Provide a Name and short Description for this new Event Analysis Filter.

•Select the Default filter box if you would like to view this filter first after navigating the Event Analysis page.

Step 6 Click Save and Apply. The results of the Event Analysis Filter are displayed on the Event Analysis page.

Event Managing Tasks

The Event Managing Tasks feature, available from the Events menu bar, lets you create event database management tasks to manage the size of your event log. As your event log grows, specifying parameters for deleting events will help prevent this log from growing too large and from maintaining stale information.

Note You can configure global event insertion threshold parameters from the global Event Insertion Tasks page. This page already contains default settings for stopping the insertion of additional events for each event level when the specified threshold setting is reached. You can change these settings, if necessary. The thresholds on this page only trigger if the Event Managing Tasks parameters you configure (described in the second section on this page) do not adequately keep events pruned below configured levels. For example, if there is a sudden flurry of events and configured pruning parameters do not trigger immediately, the global thresholds will kick in.

To access the global Event Insertion Tasks page:

Step 1 Move the mouse over Events in the menu bar and select Event Management Tasks from the drop-down list that appears.

Step 2 Click the top bracketed link <Event Insertion Tasks> to access the page. See Figure 10-7.

This page displays the total number of events in the Event Log. It also breaks events out to the number of events that exist for each severity level. Beneath this graphical event display are the default threshold settings for each event level. These thresholds represent the upper limit of events which must be reached for each severity level before no more events of this type will log. Event pruning must occur in order for these event types to once again be written to the Event Log.

To configure an event auto-pruning task, do the following. See Figure 10-6.

Step 1 Move the mouse over Events in the menu bar and select Event Management Tasks from the drop-down list that appears.

Step 2 Click the New button to create a new entry. This takes you to the auto-pruning configuration view.

Step 3 Enter a Name for the auto-pruning task.

Step 4 Enter a Description. This is a useful line of text that is displayed in the list view and helps you to identify this particular configuration.

Step 5 Use the Enabled checkbox to enable this event auto-pruning configuration. (It is enabled by default.) By not selecting this checkbox, you can save this item, but it will not be active.

Step 6 All conditions in the Delete Events area must be met in order for events to be automatically deleted by this event management task. In the Delete Events area configure these settings:

•In the After field, specify how old events in the event log can be before they are deleted.

•In the Matching the following event set field, specify the event set of which the events must be a member.

•In The database size exceeds field, specify how large the database must be before events are deleted.

Step 7 Click the Save button.

Note This purging of events will occur periodically based upon the configured auto-pruning items. Generally, this pruning will take place at a time when the least activity is registered on the MC. When event auto-pruning occurs, a message appears in the event log notifying you of this action.

Figure 10-6 Event Auto-Pruning

Figure 10-7 Event Insertion Task

Local Event Log File

CSA records, in a local log file named securitylog.txt, the events that it sends to CSA MC. Securitylog.txt is located in the Program Files\Cisco\CSAgent\log directory.

Securitylog.txt file can reach a maximum size of about 1MB. If CSA generates an event after the securitylog.txt file has reached 1MB, CSA backs up a copy of the existing securitylog.txt file and begins a new one. This is the naming convention for the backed-up securitylog.txt files: securitylog-YYYYMMDD-HHMM.txt. For example, CSA could backup securitylog.txt with the file name securitylog-20100331-1512.txt indicating it was saved on March 31, 2010 at 15 hours 12 minutes.

After CSA backs-up the old securitylog.txt file, it writes new event messages to the new securitylog.txt file. CSA saves up to four of the backed-up securitylog.txt files at a time. You can configure the number of backup securitylog.txt files CSA can create by changing the value of the esl_file_limit parameter in the sysvars.cf file.

Note In the releases of CSA before version 6.0.0.214, if the current securitylog.txt file is 1MB but CSA had created a new securitylog.txt file within the past hour, CSA does not create a new securitylog.txt file and stops logging. CSA interprets the excessive logging as an attack intended to deplete CSA's logging resources. CSA resumes logging to securitylog.txt after an hour has passed from the time it created the previous securitylog file.

In CSA 6.0.0.214 and subsequent builds of CSA, this behavior is different: CSA continues to create new securitylog.txt files whenever the existing securitylog.txt file reaches 1MB. CSA saves up to four of the past securitylog.txt files depending on the configuration of the esl_file_limit parameter in the sysvars.cf file.

Configuring Allowed Number of Securitylog.txt Files

CSA saves up to four of the backed-up securitylog.txt files at a time. You can configure the number of securitylog.txt files CSA saves by editing the esl_file_limit parameter in the sysvars.cf file.

Step 1 Log on to the host for which you want to configure the number of securitylog.txt files.

Step 2 Turn off Cisco Security Agent by right-clicking the agent icon in the system tray and selecting Security Level > Off.

Step 3 In the justification pop-up dialog box, select Yes and enter a short justification in the Please explain field.

Step 4 Navigate to the C:\Program Files\Cisco\CSAgent\cfg directory.

Step 5 As a precaution, make a copy of the sysvars.cf file before you edit it.

Step 6 Open the sysvars.cf file and find the esl_file_limit parameter.

Step 7 Set the esl_file_limit parameter to 1, 2, 3, or 4. This determines the number of backup securitylog.txt files CSA saves.

Step 8 Save and close sysvars.cf.

Step 9 Turn on Cisco Security Agent by right-clicking the agent icon in the system tray and selecting Security Level > Medium.

How Logging Works

The CSA MC Event Log does not contain every occurrence of an event from a system. Duplicate events are not logged for an hour after the first occurrence.

Caution In some cases, when an event is logging continuously, the agent will suppress this logging temporarily. Before it does this, a log message informing you of this suppression appears in the event log.

The following information is logged for each rule type.

•File access control logging—Process path and file names and file operation are logged.

•Network access control logging—Process path, network address, port and direction are logged.

Note No network access control rule denial events are logged for any TCP or UDP port resulting from multicast packet signals.

•Registry access control logging—Process path and registry key are logged.

•COM component access control logging—Process path and COM component PROGID/CLSID are logged.

A duplicate event is defined as follows:

•For file access controls , the name of the application and the file being accessed are the same.

•For network access controls, the name of the application, the remote address, and the network service port are the same.

•For registry access controls, the name of the application and the registry key name and value name are the same.

•For COM component access controls, the name of the application and the COM component PROGID or CLSID are the same.

Verbose Logging

Enable Verbose Logging Mode in the Group configuration view to change the event log timer to log all recurring events rather than only logging recurring events once every hour. Verbose logging applies to all policies that are attached to the group that have logging turned on.

For normal operations, you would not want to enable Verbose logging. Verbose logging is useful for troubleshooting and for analyzing how applications work with rule sets, i.e. related processes and subprocesses. In the latter case, using Verbose logging with Audit Mode can be very useful for monitoring how a rule set would work before deploying it.

Note Verbose logging is enabled on a host if any group in which the host is a member has Verbose logging turned on.

Logging and Query User Rules

When a user responds to a Query User box (by pressing Yes, No, or Terminate), the agent remembers the response and caches it for an hour. This way, if the same rule is triggered again within that hour, the action is allowed or denied based on what the user answered previously, with no pop-up query box appearing again. When the user responds to a triggered Query User pop-up box, the system action that triggered the pop-up, as well as the user's response, are logged in the CSA MC event log. With Verbose logging turned on, all subsequent automatic allows or denies are logged as well. Otherwise, the one hour logging timer prevents agents from logging the automatic allowed or denied system action if it occurs again within the hour.

About the Event Management Wizard

When you click the Wizard link from an event in the Event Log page, you launch the Event Management Wizard. You can use the Event Management Wizard to accomplish the following tasks:

•Classify an application. This allows you to add an application to the White List, Grey List, or Black List. Rules then permit or restrict the application's actions based on the list it is added to. See Application Trust Levels, page 7-2 for a discussion of these lists. See Using the Event Management Wizard to Set Trust Levels, page 7-3 for the procedure to add applications to the White List, Grey List, and Black List using the Event Management Wizard.

•Create an exception rule to allow an action. If an action is being denied on an end user systems and you want to allow this action, you can automatically create an "exception" which evaluates the application class and resource information in the event and creates an allow rule which takes precedence over the rule that caused the event.See Creating Exception Rules.

•Create an exception rule that stops a specific event from logging. The Wizard makes use of the Take precedence over other <action type> rules feature to manipulate rule precedence and prevent logging of an event. The following rule types make use of precedence manipulation: File access control, Network access control, Registry access control, COM component access control, and Application control. See Creating Exception Rules.

•Perform a Behavior Analysis Investigation for the application that caused the event. The Event Management Wizard is available for events triggered by Deny rules and Query User rules. See Perform an Application Behavior Investigation.

•Suppress Similar Events. "Similar events" have the same rule ID, are of the same event type, and are reported for the same application. For the purpose of grouping similar events, CSA MC ignores the drive letter or share name of the application. See Event Aggregation and Suppression and Suppressing Similar Events for more information.

•Purge similar events from the Event Log. Use this wizard feature to purge all events similar to the event from which the Wizard link was clicked. This purges all similar events but leaves one, most recent, representative event in the event log. All but one of these events are purged from the Event Log.

When administrators in Advanced Mode use the wizard, they have the option of stepping through several configuration screens when performing their task or accepting at once all the choices made by the wizard. Administrators in Simple Mode choose the task they want to perform and then click Finish to accept all the configuration choices made by the wizard.

In most cases, unless you are certain of the behavior that will result from your choices, accept the default choice offered by the wizard when performing your task.

Figure 10-8 Event Management Wizard Link

Creating Exception Rules

When you click the Wizard link from an event in the Event Log page, you can create an exception rule which will "Allow" an action that was previously "Denied" or stop logging an event. The Event Management Wizard is the tool that creates these exceptions. Figure 10-9 shows the initial page of the Event Management Wizard.

Once the exception rule is created, it is placed in a new rule module, which is attached to the same policy as the rule that triggered the event. The rule module is named, PolicyName - exceptions and every subsequent exception for a rule in that policy will be placed in that rule module. If the rule that triggered the event belongs to more than one policy, then an exception is created for every policy to which the rule belongs.

The PolicyName - exceptions rule modules are not configurable like other rule modules. All editing of the exceptions must be done in the Exceptions page. Advanced mode users may, however, edit the content of the exception rules.

Figure 10-9 Event Management Wizard

Creating Allow Exception Rules

You can create "Allow" exception rules for the following rule types:

•Application control

•Buffer overflow

•COM component access control

•Data Access Control

•File access control

•Network access control

•Registry access control

•Rootkit/kernel protection

•System API control

To create an exception Allow rule, follow this procedure:

Step 1 Log on to the CSA MC as an administrator with Configure privileges. This task may be performed in Simple Mode or Advanced Mode.

Step 2 From the Event menu, select Event Log.

Step 3 Click the Wizard link in the event that denied the action.

Step 4 In Step 1 of the wizard, select Allow Operation.

Step 5 In the Justification field, type an explanation of why you are creating this Allow exception.

Step 6 (Optional) Select purge targeted events.

•In Simple Mode - If you select purge targeted events, all events similar to the one from which you launched the wizard as well as the event from which launched the wizard are purged.

•In Advanced Mode - If you select purge targeted events, and you click Next, you have the choice to define what events you want to purge on the next wizard screen.

Step 7 Click Next.

Step 8 In Step 2 of the wizard, defined the events for which the exception rule will be created and click Next.

•Selecting Take into account all similar events... will create the exception, and purge the events, for all events similar to the one from which you launched the wizard as well as the event from which you launched the wizard.

•Selecting Take into account only the current event... is more restrictive filter and will create the exception, and purge the events, for the event from which you launched the wizard and only for the resources named in that one event.

Step 9 Continue to follow the steps presented by the wizard to create the exception rule and click Finish on the last screen.

Unless you are certain of the behavior that will result from your choices, accept the configurations offered by the wizard in order to create the exception rule.

The Allow exception rule is added to a PolicyName - exceptions rule module and the module is attached to the policy which includes the originating rule.

The exception is then listed with its policy in the Exceptions page. You can reach that page by mousing-over Configuration on the CSA MC menu and selecting Exceptions.

Note If you are working in Advanced Mode you will see all the exceptions that have been made. If you are working in Simple Mode, you will only see the exceptions that have been made to rules, that are in policies, that are visible in Simple Mode.

Step 10 When you are ready to distribute this exception rules to users, you will need to Generate Rules.

These are some special use-cases pertaining to "Allow" exception rules:

System API Control/Buffer Overflow:

If the action of the triggering rule is to:

Set - Data payload trust status - as - untrusted

the exception rule will not be to "Allow" the action. Instead the exception will:

Set - Data payload trust status - as - unchanged

If a payload is marked as both "unchanged" and "untrusted," the rule marking the payload as "unchanged" takes precedence.

Additionally, if the event is triggered by the "Handle exceptions" or "Access system functions from code executing in data or stack space" sub-rules and a signature was created as a result of the Set - Data payload trust status - as - untrusted action, the matching signature (or signatures, if the exception rule is configured to consider "similar events") will also be purged to prevent Data Access Control rules from denying an action based on an existing signature.

Data Access Control:

This use case is similar to the previously described System API Control/Buffer Overflow use case but describes what happens when the exception is created from the Data Access Control rule (DACL).

"Allow" exceptions to DACLs can be created if the event was triggered because CSA matched a payload with an existing automatically generated signature and the DACL denied the action based on the presence of that signature.

When you attempt to create an "allow" exception for a DACL, the Event Management Wizard does not actually create a DACL exception rule; it will deletes the automatically generated signature(s), that matched the payload, thus preventing further deny actions based on an existing signature.

If the corresponding System API Control "Set-data payload trust status-as-untrusted" event and triggering rule are found, the wizard will also create a System API Control exception rule to Set - data payload trust status - as - unchanged since the user considers the payload harmless. This prevents further signature generations for that payload.

Rootkit/Kernel Protection:

If the rule that triggered the event was configured with the action to:

Set - detected rootkit trust status - as - untrusted

the exception rule will not be to "Allow" the action. Instead the exception will:

Set - detected rootkit trust status - as - unchanged

If the detected rootkit trust status is marked both "unchanged" and "untrusted," the rule marking the payload as "unchanged" takes precedence.

Creating Logging Exception Rules

When you create an exception logging rule you create a rule that is an exact copy of the rule that triggered the event. The one difference is that the rule created by the wizard has the Take precedence over other <action type> rules checkbox selected and the Log checkbox is unselected. This causes the rule created by the wizard to remain in effect, in the correct precedence within the policy, but not log an event when triggered.

See Rules: Manipulating Precedence, page 5-22 for more information on the manipulating precedence feature.

"Stop Log" exceptions can be created for all the rules containing the "Take precedence over other...rules" checkbox, provided that the rule's action is not Set, Monitor, or Add/Remove Process from an application class, and provided that logging is not enabled.

Therefore you cannot create exception logging rules for these rule types:

•Agent UI Control

•NT Event Log

•Syslog Control

•Sniffer and Protocol Detection

•Resource Access Control

•Server Restart

To create a logging exception rule, follow this procedure:

Step 1 Log on to the CSA MC as an administrator with Configure privileges. This task may be performed in Simple Mode or Advanced Mode.

Step 2 From the Event menu, select Event Log.

Step 3 Click the Wizard link in the event that you want to stop logging.

Step 4 Select Stop Logging This Event.

Step 5 (Optional) Select purge targeted events.

•In Simple Mode - If you select purge targeted events, all events similar to the one from which you launched the wizard as well as the event from which launched the wizard are purged.

•In Advanced Mode - If you select purge targeted events, and you click Next, you have the choice to define what events you want to purge on the next wizard screen.

Step 6 Click Next.

Step 7 In Step 2 of the wizard, defined the events for which the exception rule will be created and click Next.

•Selecting Take into account all similar events... will create the exception, and purge the events, for all events similar to the one from which you launched the wizard as well as the event from which you launched the wizard.

•Selecting Take into account only the current event... is more restrictive filter and will create the exception, and purge the events, for the event from which you launched the wizard and only for the resources named in that one event.

Step 8 Continue to follow the steps presented by the wizard to create the exception rule and click Finish on the last screen.

Unless you are certain of the behavior that will result from your choices, accept the configurations offered by the wizard in order to create the exception rule.

The logging exception rule is added to a PolicyName - exceptions rule module and the module is attached to the policy which includes the originating rule.

The exception is then listed with its policy in the Exceptions page. You can reach that page by mousing-over Configuration on the CSA MC menu and selecting Exceptions.

Note If you are working in Advanced Mode you will see all the exceptions that have been made. If you are working in Simple Mode, you will only see the exceptions that have been made to rules, that are in policies, that are visible in Simple Mode.

Step 9 When you are ready to distribute this exception rules to users, you will need to Generate Rules.

Configuring Exceptions

The Exceptions page lists the policies that contain exceptions to rules. Expanding the policy listing displays the exception rule.

Exception rules are maintained in the policy for which they were created. All exceptions for a particular policy are attached to a special rule module called PolicyName - exceptions.

Advanced Mode users will see all the exceptions that have been created. Simple Mode users will see the exceptions that have been created for the policies that are visible in Simple Mode.

Exceptions are created by using the Event Management Wizard. See Creating Exception Rules, Creating Allow Exception Rules, and Creating Logging Exception Rules for more information on how to create an exception.

Editing Exceptions

Generally speaking, users are expected to accept the configuration choices offered by the wizard in order to create the exception rule. However, even after the exception is created by the wizard, Advanced Mode users can still edit the rule.

This gives the administrator the flexibility of turning on logging or broadening the scope of the exception if it is warranted.

To edit an exception, follow this procedure:

Step 1 Log on to the CSA MC as a user with configure privileges and switch to Advanced Mode.

Step 2 From the Configuration menu, select Exceptions.

Step 3 Expand the listed policies to show the exceptions made for rules in that policy.

Step 4 Click the link to the exception you want to edit.

Step 5 Edit the rule that is displayed and click Save.

Step 6 When you are ready to distribute the exception to hosts, generate rules.

Note It is recommended that exceptions can edited through the Exceptions page rather than through the module itself.

Enabling, Disabling, and Deleting Exceptions

Step 1 Log on to the CSA MC as a user with configure privileges. You can perform this task in Simple Mode or Advanced mode, however, if you are working in Advanced Mode you will see all the exceptions that have been made. If you are working in Simple Mode, you will only see the exceptions that have been made to rules that are in policies that are visible in Simple Mode.

Step 2 From the Configuration menu, select Exceptions.

Step 3 Expand the policies to show the exceptions made to rules in that policy.

Step 4 Select the exception you want to enable, disable, or delete.

Step 5 Click the Enable, Disable, or Delete button at the bottom of the page.

Step 6 Generate rules in order to distribute these changes.

Moving and Copying Exceptions

Step 1 Log on to the CSA MC as a user with configure privileges. You can perform this task in Simple Mode or Advanced mode, however, if you are working in Advanced Mode you will see all the exceptions that have been made. If you are working in Simple Mode, you will only see the exceptions that have been made to rules, that are in policies, that are visible in Simple Mode.

Step 2 From the Configuration menu, select Exceptions.

Step 3 Expand the policies to show the exceptions made to rules in that policy.

Step 4 Select the exception you want to move or copy.

Step 5 Click the Move or Copy button at the bottom of the page.

Step 6 Select the policy to which you want to move or copy the file. If you are working in Advanced Mode you may choose from all available policies. If you are working Simple Mode, you may choose from only the policies visible in Simple Mode.

If an exception is moved to a policy it retains its Rule ID. If an exception is copied to another policy, the exception receives a new Rule ID.

Step 7 Generate rules in order to distribute these changes.

Perform an Application Behavior Investigation

When you click the Wizard link from the Event Log page, you can choose to Analyze Application, which configures a behavior analysis to investigate the application that triggered the event (see Figure 10-9). This wizard option is available for users of Advanced Mode only.

If you select Analyze Application, to create a behavior analysis, optionally you can choose to Disable policy rule enforcement for the time frame of the analysis. Otherwise, the analysis takes place only within the confines of enforced policies. In that case, some events may be denied by rules during the analysis and therefore the analysis may not be complete.

If you select the Disable policy rule enforcement checkbox, when the logging agent receives an analysis, any policies relevant to the application being analyzed are disabled on the selected host until the behavior analysis is completed. You should understand that if the application being analyzed is untrusted or potentially a virus, you will allow it to run unimpeded during the analysis if you disable policy rule enforcement.

Figure 10-10 Behavior Analysis Wizard Step 2

If you decide that the application is not dangerous and it can run without any policy restrictions, you can begin to configure the behavior analysis.

Figure 10-11 Behavior Analysis Wizard Step 3

The next behavior analysis wizard page (see Figure 10-11) displays the application that triggered the event. This is the application the behavior analysis will investigate. Optionally, you can select other application classes to be analyzed. But in that case, the policy created would apply equally to all applications included in the analysis. For example, if the application class you are analyzing contains both Microsoft Word and Microsoft Outlook, the policy generated by the behavior analysis would be a combination of the resources required by both applications.

Continuing to click the Next button through the behavior analysis wizard configures the analysis with chosen defaults for analysis workstation and time frame. You can choose to edit these defaults or to accept them by making no changes.

When the wizard completes, it takes you to the new behavior analysis configuration page as it appears in CSA MC. You can edit it at this time or you can deploy the analysis by doing the following:

•Generate rule programs to distribute the behavior analysis to the host.

•Wait for the logging process to stop or click the Stop logging button to force the stop.

•Click the Start analysis button to start the analysis of the logged data.

•Optionally, use the Import button to import the policy, examine it and, if appropriate, deploy it to hosts.

Suppressing Similar Events

When you click the Wizard link from the Event Log page, you can choose to Suppress Similar Events based on the event from which you click the wizard link (see Figure 10-9). "Similar events" have the same rule ID, are of the same event type, and are reported for the same application. For the purpose of grouping similar events, CSA MC ignores the drive letter or share name of the application.

Event suppression is best used when you have a reoccurring event that is more noisy than useful to you. This is something you are aware of, but no longer wish to see. Suppressing the event removes all viewable instances of that event and causes further events of the same type to be hidden. Note that these events remain in the database, they are simply not displayed.

Simple Mode users select Suppress Similar Events in the Event Management Wizard and then Finish to suppress the events.

Advanced Mode users select Suppress Similar Events in the Event Management Wizard and can click Next to view a summary of the rule type, rule ID, and application for which the event was reported. Clicking Finish suppresses the events.

Figure 10-12 Event Suppression Filter Wizard Step 2

Viewing Event Suppression Filters

Once you create the event suppression filter using the Wizard, that filter is viewable from a link in the Show suppressed events field at the top of the Event Log page. In Figure 10-13, find the Show suppressed events: No [2 event suppression filters defined] link.

Figure 10-13 Show suppressed events link

When you click the Show suppressed event <#> event suppression filters defined link, a pop-up window appears from which you can either remove the filter to once again show all the events or purge all the events that have been filtered out. See Figure 10-14.

Figure 10-14 Remove Filter or Purge Events Pop-up

Purge Similar Events

When you click the Wizard link from the Event Log page, you can choose to Purge Similar Events based on the event from which you click the wizard link (see Figure 10-9). This purges all similar events but leaves one, most recent, representative event in the event log. All but one of these events are purged from the Event Log. Once purged, they cannot be recovered.

Simple Mode users select Purge Similar Events in the Event Management Wizard and then Finish to purge the events.

Advanced Mode users select Purge Similar Events in the Event Management Wizard and can click Next to view a summary of the rule type, rule ID, and application for which the event was reported. Clicking Finish purges the events.

Event Sets

Configure event sets for use in alerts, reports, and event logs. When configuring alerts, event sets cause CSA MC to trigger alerts based on specified events. Once configured, these event set configurations become available in corresponding alert selection fields.

Note CSA MC ships with several preconfigured event sets you can use. If the included event sets do not suit your needs, use the instructions in the following pages to configure new event sets or to edit existing ones.

When creating your event sets, it's a good idea to adopt a naming convention that lets you quickly recognize event sets in your Alert configuration view.

Note To learn more about how event sets are used for generating reports, see Chapter 11, "Generating Reports".

To configure event sets, do the following.

Step 1 Move the mouse over Events in the menu bar of CSA MC. Select Event Sets from the drop-down list that appears. All existing event set configurations are shown.

Step 2 Click the New button to create a new event set. This takes you to the configuration view.

Step 3 In the available edit fields, enter the following information (see Figure 10-15):

•Name—This is a unique name for this event set. Generally, it's a good idea to adopt a naming convention that lets you quickly recognize Event Sets in Alert configuration fields.

•Description—This is a line of text that is displayed in the list view and helps you to identify this particular Event Set configuration in the event set list view.

Under the Event Specification section, enter optional filtering parameters.

Note To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press the Shift key to select multiple successive items.

Step 4 Select Filter by event specifications.

Leave the Include all event types radio button selected to have events of all types included or select the Include only the following selected event types radio button. If you select the second radio button, then you must also select specific event log messages to filter by. These messages represent the spectrum of generated events that appear in the Event Log view.

Step 5 Select Filter by severity specifications.

Leave the Include all severity levels radio button selected to have events of all severity levels included or select the Include only the following selected severity levels radio button. If you select the second radio button, then you must also select the severity level(s) that will trigger an alert for this event set. Available levels are: Information, Notice, Warning, Error, Alert, Critical, Emergency.

Step 6 Select Filter by group specifications.

Leave the Include all hosts radio button selected to have events generated by all hosts included or select the Include only hosts in the following selected groups radio button. If you select the second radio button, then you must select the group(s) that trigger an alert for this event set. Any groups selected here that log the event in question will trigger an alert.

Step 7 Select Filter by rule module specifications.

Leave the Include all rule modules radio button selected to have events generated by all rules modules included or select the Include only rules in the following selected rule modules radio button. If you select the second radio button, then you must select the rule module(s) that trigger an alert for this event set. Any rule modules selected here that log the event in question will trigger an alert.

Step 8 Select Filter by time specifications.

Note If you do NOT have "Include all timestamps" selected, the Event Set is not available for use in Alerts.)

Leave the Include all timestamps radio button selected to have events generated at all times included or select the Include only these timestamps radio button. If you select the second radio button, then you can create a custom time here or select from available times, Today, Last 24 hours, Last 7 days, Last 30 days, and Events older than <you specify #> days to trigger an alert when an event occurs with the specified time range.

You can also enter Custom start and Custom end times in the following manner:

•Specify a relative time using any of the following terms: tomorrow, yesterday, today, now, last, this, next, ago, year, month, week, day, hour, minute, and second.

• Enter a specific time using any of the following time formats: hh:mm:ss. If no meridian (AM or PM) is specified, hh is interpreted on a 24 hour clock (0-23). Note that entering minutes and/or seconds is optional.

• Enter a specific month and day with optional year in the formats: mm/dd/yy, monthname dd, yy. The default year is the current year.

Note When you select multiple categories to filter by, all selections have to match.

Step 9 When all required information is entered, click the Save button to enter and save your event set in the CSA MC database.

In the Event Sets configuration page, the CSA MC frame at the bottom of the page provides a View button and a Purge events button.

•When you click the View button, all events that match the configured event set are displayed.

Caution When you click the Purge events button, all events that match the configured event set are deleted from the event log. If you make changes to an existing Event Set and click the Purge events button without saving those changes, all edits are saved and events are purged.

Figure 10-15 Event Set Configuration View

Third Party Access to Events

To access events in the database for exporting to a different format (or for your own reports), connect to the database using ODBC DSN "csamc60dsn."

You can access events through the database view EventListView. (This is a SQL server view.) The columns defined in this view are as follows:

Note SNMP and Log file alert types can be used by third party event management applications. See page 49 for more details on those alert fields. (Note that the fields in the SNMP and Log file alerts are the same as those described in Table 10-1.)

Table 10-1 EventList View Fields

Field

Description

EventId

An ID uniquely identifying the event. Increasing, in order of event arrival at CSA MC.

EventTime

The time at which the event occurred, using the clock of the host that generated the event.

HostId

An integer uniquely identifying the host that generated the event. This is NULL for events generated by CSA MC.

HostName

A non-unique string name for the host that generated the event.

HostOSType

The OS type for the host that generated the event, 'W' for Windows, 'U' for UNIX

CurrentHostIPAddress

The most recently recorded IP address for the host that generated the event.

SeverityCode

An integer, as follows in increasing severity -- Information (1), Notice (2), Warning (3), Error (4), Alert (5), Critical (6), Emergency (7)

SeverityName

The string representation of SeverityCode.

ProcessName

When applicable, the full path of the process that generated the event.

FileName

When applicable, the name (not path) of the relevant file from a file event.

SourceIPAddress

When applicable, the source IP address of a network event.

DestinationIPAddress

When applicable, the destination IP address of a network event.

RuleId

An integer uniquely identifying the rule that caused the event.

EventType

A string representing the type of the rule that caused the event, as discussed in Chapters 4 and 5. This field can be used as a broad-level categorization of CSA MC events. Possible values are as follows: File access control, Network access control, Network shield, Registry access control, System API control, Sniffer and protocol detection, File version control, COM component access control, Clipboard access control, Service restart, NT Event log, Application control, Agent service control, Agent UI control, Data access control, Connection rate limit, Analysis, Kernel protection, Network interface control, Rootkit / kernel protection, Buffer overflow, Syslog control, Resource access control, Downloaded content, Global virus scan, Global event log, Global network scan, Global email worm, Global IP address quarantine, Self-protection, Administrative.

RuleDescription

The user-specified string description for the rule that caused the event.

RuleModuleId

An integer uniquely identifying the rule module which contains the rule that caused the event.

RuleModuleName

The string name of the rule module which contains the rule that caused the event.

EventCode

An integer which uniquely defines the event code.

EventCodeTag

A short string representing the event code.

EventText

The complete formatted text of the event. (An Audit Mode event is preceded by the string "AUDITMODE".)

SourcePort

When applicable, the port used by the source of a network event.

DestinationPort

When applicable, the port used by the destination of a network event.

ButtonCode

The bottom 16 bits of this field represent the button that was pressed, with short integer values as follows, Yes (1), No (2), Terminate Process (3), OK (4). The upper 16 bits of this field represent whether the button was selected by default. A zero value indicates that the user actually pressed the button, while a non-zero value indicates that the default was chosen, e.g. because the query timed out.

Username

The name of the logged-in user at the time of the event.

RulePriority

The priority of the rule in question.

Configuring Alerts

You can configure CSA MC to send various types of alerts to specified recipients when a policy triggers an event. Available alert types include: Email, SNMP, Log to file, Named pipes and a Custom program that you provide.

Each alert type requires you to enter specific information. See Table 10-2 for details.

To configure CSA MC to issue alerts when specified system events occur, do the following.

Step 1 Move the mouse over Events in the menu bar and select Alerts from the drop-down list that appears. The list of Alerts (if any) appears.

Step 2 Click the New button to create a new alert. This takes you to the configuration view.

Step 3 In the Alert configuration view (see Figure 10-16), enter a Name and a useful Description. This information is displayed in the list view and helps you to identify this particular alert.

Step 4 From the Send alerts for the following event set list box, select the event set(s) you want to trigger the alert you're creating. Configuring Event Sets provides flexibility in selecting the events for which you want to be alerted.

Note The "time" filter in an event set is ignored for alerts. Alerts are generated as events are logged.

To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press the Shift key to select multiple successive items.
If the available options here do not meet your needs, you can configure event set variables which become selectable in this field.

Step 5 In the available alert configuration fields, enter data for one or more of the following alert types: Email, SNMP, Log, Named pipe, Custom (for alert configuration information, refer to Table 10-2).

For each alert type you want to send, select the corresponding checkbox and enter the required alert-specific information.

Note Although you can enter data into all available alert edit fields, if you do not check the corresponding checkbox, the alert in question is not enabled; however, the information you've entered is stored in the database. You can enable the alert type at a later time.

Step 6 When your information is entered, click the Save button to save your new alert(s).

Note Use the Clear Pending Alerts button to clear all alerts that have been triggered by events but not yet sent. You might want to do this if several events are occurring simultaneously or continuously, you have already disabled the alert, and you have no further need for the continual notifications that are pending.

Figure 10-16 Alert Configuration View

Table 10-2

Alert Type

Information

Description

Email

Recipient

Sender address to use

Address of SMTP server

Enter the email address of the mail recipient. Using brackets is optional. CSA MC will automatically enter them if you do not. You can enter multiple addresses separated by commas: <dpaul@example.com>

Enter the mail sender in brackets. Some mail servers require this to be specified: <jsmith@example.com >

Enter the IP address or DNS name of the SMTP server.

SNMP

Community Name

Manager IP Address

Enter the community name. This is a text string agreed upon by the SNMP manager: public

Enter IP address of the system where the SNMP trap should be sent. Optionally, you can put a colon and a port number (":<port number>) after the IP address if you are using a non-standard port. (Standard port is 162.)

Refer to the CSAMC-SNMPv2.mib document in the CSAMC\CSAMC60\doc directory for SNMP-MIB definitions for Cisco specific objects.

Also see Third Party Access to Events for third party event management details.

Log

Log file name (using full path)

Enter a name for the flat logging file that events will be written to.

c:\alerts\logfile.txt

This file can then be used by third party event management applications. See Third Party Access to Events for details.

*In a distributed configuration, the path must correspond to the polling server system.

Custom

Custom Program

Enter a custom alert program name here.

The server calls the program as it appears in this field. You must enter the full pathname so that CSA MC can locate the program.

Your custom program must be an executable file. c:\Program Files\Cisco\CSAMC\CSAMC60\program.exe

The program passes the event message in a file whose name is passed to the program as its first parameter. Alternately, the program can also read the event message from its standard input. The file containing the event is automatically deleted when the program exits or closes its standard input.

FEATURE NOTES:

* The custom program must exist on the same system as CSA MC in the CSAMC60 directory or subdirectory.

*Custom programs cannot require any user input.

*If a custom program is triggered and fails for some reason, it could take several minutes before the program closes itself and attempts to launch again. (If you are testing custom program alerts, one way to tell if the program has launched and is running, is to watch for it in the Task Manager.)

*In a distributed configuration, the path must correspond to the polling server system.

Named Pipe

Named Pipe

A named pipe is a form of internal communication. This alert type allows the integration of third party software for the purpose of receiving alerts over Windows named pipes. Consult your third party documentation for further configuration details.

Note that this feature is for use with third party vendors that support alerts over Windows named pipes.

Alert Type Descriptions

Generate an Alert Log File for Third Party Applications

Using the Log checkbox and the Log file edit field in the Alerts configuration page (see Figure 10-16), you can have CSA MC generate a flat logging file to which events are written. Third party event management applications can then parse the information found in this file.

To generate this file, select the Log checkbox and enter the Log file name, using the full path that you want to write event data to. For example, enter c:\alerts\logfile.txt

Event data is written to this file as follows:

EventId,EventTime,HostId,HostName, CurrentHostIPAddress,HostOSType,Severity,EventType, EventText,EventCodeTag,FileName,ProcessName, SourceIPAddress,DestinationIPAddress,SourcePort, DestinationPort,RuleId,RuleDescription,RulePriority, RuleModuleId,RuleModuleName,ButtonCode,UserName

Entry fields are separated by a delimiter of a comma. Event entries themselves are separated by a carriage return/line feed (ASCII Hex 0D 0A).

Once a log file exceeds 1 MB, it is closed and its name is suffixed with a time stamp. A new file, using the same file name entered in the CSA MC Alerts Log file field, is then created. Events continue to be written to this new file until it reaches 1 MB. The third party application that consumes the log files is expected to manage the deletion and archiving of these files once processing is complete.

Note This file data is encoded in UTF-8 format.