CSA / Securityworks not sending alert emails.

Unanswered Question
Jun 20th, 2007
User Badges:

CSA installed and in test mode collecting events. Working through rules, and policies. (If anyone has a down and dirty way to do that, I would greatly appreciate it, CSA is a huge can of worms)


So, under Security agent, event, alert. I set it up to send an email for ALL ALERTS. Simply to see if it works. I enter a valid internal company email, as the Recipient, and a valid company internel email as the sender. For the address of mail server I have Servername.network.net. Put in a 'subject' line.


Then after a few minutes I get an event, and this shows up.


410 6/20/2007 3:11:13 PM - Warning The notification process failed to send 1 alert(s) using mail alert 'Network and Security Team Notify'.

123 similar events (same Type/Rule ID/Application)Find Similar

Tried changing the sender / the recipient, the server to the ip address. Still the same message. What am I doing wrong. Doesnt look that difficult.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 06/26/2007 - 14:36
User Badges:

I think you have to create an event set from the event set page to include only alerts. The option for alert only is not available by default when configuring events to be sent to your email. Following link may help you to learn how to create an event set that you can use to configure an alert:

http://cisco.com/en/US/docs/security/csa/csa45/user_guide/Chap8.html

tsteger1 Thu, 06/28/2007 - 11:01
User Badges:
  • Red, 2250 points or more

Sounds like the mail server either isn't allowing it to work or is not configured correctly.


Do you have other alerts using the same server?


The only time I see messages like that is if I misconfigure the smtp server or type in the address wrong in the alert.


Tom

cdillon12 Thu, 06/28/2007 - 11:08
User Badges:

Just getting CSA rolling actually. This is a test "alert". I have several "event sets" and I have tried to send alerts using each evnet set.


In the configuration, I am using my email address as the person to get the email. For the sender, I have used my own, valid email, and I have tried a 'bogus' email ([email protected])


I have used the dns name in various configurations "servername.company.net" or just "servername" Also the direct IP of the server.


There has to be some kind of setting or 'check box' that I am missing somewhere.



tsteger1 Thu, 06/28/2007 - 11:33
User Badges:
  • Red, 2250 points or more

The alerting part and all is working correctly or you wouldn't get the warning about not sending.


Are you using this mail server to send alerts in other applications?

cdillon12 Thu, 06/28/2007 - 12:03
User Badges:

Yes. This is my primary mail server for this location. The same one I get my mail from. I have other applications that use this functionality.. Example - my AS400, Veritas Backup Exec.. I get notices from those applications, regarding alerts, and issues.


The CSA server is on the same lan / subnet / and can ping / communicate with the Exchange server.


For example.. backup exec.. the information is configured the same.. "Server.company.net" with a bogus email. [email protected] That is not a valid Active directory account. Just to know where it comes from.

tsteger1 Thu, 06/28/2007 - 13:25
User Badges:
  • Red, 2250 points or more

Just for kicks, set the alert to log to a text file and disable security on the MC for a bit and see what happens.


SMTP should work if you have the CSA MC Systems group at the defaults.


Turning off security should eliminate any rules as the culprit and the text log will tell you if your alert is functioning.

Actions

This Discussion