From: Lewis, Eric (ISS Herndon) (elewisiss.net)
Date: Thu May 26 2005 - 08:07:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can create a trigger event in the database on the table that holds
the status information and then have SQL Server send you an email...at
least that's how I did it prior to coming to ISS. You can use something
similar to this:

-- =============================================
-- Trigger for emailing Component status changes
-- Author: Eric Lewis, Technical Security Officer

-- =============================================
SET NOCOUNT ON
GO

CREATE TRIGGER trig_EricLewis
ON dbo.Component
FOR UPDATE
AS
IF UPDATE(Status)
BEGIN
  DECLARE sensornm1 nvarchar(100)
  DECLARE statusdsc1 char(40)
  DECLARE delstatusdsc1 char(40)
  DECLARE sensortotal1 varchar(140)
  SET sensornm1 = (SELECT SensorName FROM Inserted)
  SET statusdsc1 = (SELECT StatusDesc FROM Inserted,dbo.ComponentStatus
WHERE Status=StatusValue)
  SET delstatusdsc1 = (SELECT StatusDesc FROM
Deleted,dbo.ComponentStatus WHERE Status=StatusValue)
  SET sensortotal1 = sensornm1+' '+statusdsc1
  IF statusdsc1 != delstatusdsc1
    exec sp_send_cdontsmail
'eric.lewismail.va.gov','eric.lewismail.va.gov',sensortotal1,'Please
check sensors!'
END
GO

-------------------------------------------------------
You should build some error checking into it or thresholds to prevent
getting flooded with emails just in case something goes haywire. Also,
this is an old version of the trigger I built so since the database
schema has changed I haven't verified these are the correct tables. The
nice thing about this trigger is that you can also see when your
Internet Scanners start and stop their scans. If you only want to see a
certain group of sensors then you'll need to exclude them. A good
example of this is that you probably don't want to see everytime a
desktop sensor changes status especially in a large environment. I
believe that ISS is building this type of alerting into future service
packs of SiteProtector.

Eric S. Lewis, CISSP, CEH, NSA IAM, CCSA, MCSE
Senior Systems Engineer
Internet Security Systems
Office 703.925.2013
Cell 703.582.5521
Fax 703.925.2019

-----Original Message-----
From: issforum-bouncesatla-mm1.iss.net On Behalf Of Nicholas Cross
Sent: Tuesday, May 24, 2005 4:46 AM
To: issforumatla-mm1.iss.net
Subject: [ISSForum] Alert on sensor "Not Responding"

How can I setup ISS SP2.0 to alert whenever a sensor is seen as "Not
Responding" in the console view?

We have a number of NIDS that occassionally fail, but the issDaemon and
issCSF et al. serives are still running on the NIDS, but the events are
not being sent back to the console. It would be of benefit if we could
be alerted to this fact via SNMP.

Or are we looking at a shell script to capture the heartbeat/stats
events and to determine whether one has been seen in the last 10mins or
so? We have all the alerting turned on, in the event collector
prefences at the moment.

How does everyone else do this on the list?

best regards,

Nick.

yes, i didnt email from my work account ;-) I am that paraniod
_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforumiss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforumiss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]