cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1527
Views
0
Helpful
2
Replies

How to configure rule for CPU Utilization going beyond 30%

rashidsiddiqui
Level 1
Level 1

Hi Friends,

I want to construct a rule in CSMARS, which will send a mail to me, once it recieves CPU Utilization greater than 30% for any configured device.

I have vreated one rule for event CPU Utilization Abnormally high. Is there any way to tune an event definition so that it trigger the event for CPU going high to a randomly choosen number, say 10%, 30% etc?

Also when i recieve a mail from CSMARS for "Rule Name: System Rule: Resource Issue: Network Device" (another configured rule), the mail contain the incident information. Is there any way to put some more details like reporting device etc on mail content? The mail comes with following contents,

The following incident occurred:

Start time:     Fri Sep 17 10:40:06 2010

End time:       Fri Sep 17 11:00:54 2010

Fired Rule Id:  624124

Fired Rule:     System Rule: Resource Issue: Network Device

Incident Id:    12817005849

For more details about this incident, please go to:

  https://CSMARS/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

  https://10.216.16.106/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

  https://1.1.1.1/Incidents/IncidentDetails.jsp?Incident_Id=12817005849

For all incidents occurred recently, please go to:

  https://CSMARS/Incidents/

  https://10.216.16.106/Incidents/

  https://1.1.1.1/Incidents/

I want to include some more details as in the MARS documentation. Please help in getting the steps to do so.

2 Replies 2

Scott Fringer
Cisco Employee
Cisco Employee

The CS-MARS resource-based rules are not configurable or exposed for creating custom rules.  You would be better served by a true network management/monitoring tool; CS-MARS is designed as a security incident correlation and reporting tool.

In regard to including more incident details in the email received, this is not currently customizable.  The email action provides the details you have noted.  You may want to look into using the XML notification which does include substantially more detail of the firing incident.  This output is discussed in the user guide at the following link:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/appXML.html

Scott

Thanks Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: