How to configure rule for CPU Utilization going beyond 30%

Unanswered Question
Sep 16th, 2010
User Badges:

Hi Friends,


I want to construct a rule in CSMARS, which will send a mail to me, once it recieves CPU Utilization greater than 30% for any configured device.


I have vreated one rule for event CPU Utilization Abnormally high. Is there any way to tune an event definition so that it trigger the event for CPU going high to a randomly choosen number, say 10%, 30% etc?


Also when i recieve a mail from CSMARS for "Rule Name: System Rule: Resource Issue: Network Device" (another configured rule), the mail contain the incident information. Is there any way to put some more details like reporting device etc on mail content? The mail comes with following contents,


The following incident occurred:

Start time:     Fri Sep 17 10:40:06 2010

End time:       Fri Sep 17 11:00:54 2010

Fired Rule Id:  624124

Fired Rule:     System Rule: Resource Issue: Network Device

Incident Id:    12817005849

For more details about this incident, please go to:

  https://CSMARS/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

  https://10.216.16.106/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

  https://1.1.1.1/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

For all incidents occurred recently, please go to:

  https://CSMARS/Incidents/

  https://10.216.16.106/Incidents/

  https://1.1.1.1/Incidents/


I want to include some more details as in the MARS documentation. Please help in getting the steps to do so.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Sat, 09/18/2010 - 07:06
User Badges:
  • Cisco Employee,

The CS-MARS resource-based rules are not configurable or exposed for creating custom rules.  You would be better served by a true network management/monitoring tool; CS-MARS is designed as a security incident correlation and reporting tool.


In regard to including more incident details in the email received, this is not currently customizable.  The email action provides the details you have noted.  You may want to look into using the XML notification which does include substantially more detail of the firing incident.  This output is discussed in the user guide at the following link:


http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/appXML.html


Scott

Actions

This Discussion

Related Content