11-27-2013 12:40 PM
I am wanting to have my isr's send an email when a certain number of deny's occur on an ace. So if i have a particular ace set up to log when tcp 3389 denied. Then the eem applet or script would track when that deny entry happens. When the deny hits on that entry reach three times, it will send an email alert. The thing i am wondering about is how to set a variable within an event syslog pattern statement. For instance, how do i say express a variable for the source ip/port in the below
config-applet)# event syslog pattern "SEC-6-IPACCESSLOGP: list 198 denied tcp 201.198.71.51(38531) -> 212.184.81.52(3389)
" occurs 3
The source ip and port could rotate or change so i'd need to express that with some kind of variable. How could that be done?(or is there a better approach altogether).
11-27-2013 01:10 PM
The syslog pattern is a regular expression. So something like this would match:
event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 212.184.81.52\(3389\)"
12-03-2013 03:02 PM
I put the below script in and it takes fine but does not send email alert. Is there something more to do for configuring email sending?
event manager applet Intrusion-Tracking
event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 208.195.174.115\(3389\)" occurs 3
action 1.0 mail server "173.16.7.2" to ".eem@company1.com." from ".eem@company1." subject ".intrusion_alert_from_c2900isr." body "Intrustion alert c2800isr"
12-03-2013 06:13 PM
Do you see the event being triggered in "show event manager history events"?
12-12-2013 06:47 AM
Yes, i get multiple messages like the below:
No. Job Id Proc Status Time of Event Event Type Name
10 49 Actv abort Thu Dec12 03:25:42 2013 syslog applet: Intrusion-Tracking
so it is aborting for some reason. Is there a seperate log that will show further information?
12-12-2013 06:54 AM
You can enable "debug event manager action mail" to get more insight. Chances are the router cannot connect to your SMTP server. You may want to confirm you can telnet to it on TCP port 25 from the router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide