I've been asked to implement a KEEPALIVE function for our MARS box which should send out an email every 15 minutes just to let us know that the box is still functioning correctly. I tried creating a KEEPALIVE rule that should trigger if a certain event is not seen for 15 minutes, but it didn't work. To implement this I defined the counter equal to zero, but I'm not sure whether its actually supported or not (the system accepts the input). Has anyone ever treid to set up something like this or creating a rule that fires after an interval of time in which an event is NOT seen?
Thank you, Joe
Please post details about the rule, if possible even a screenshot. If you set the count equal to zero then how would the rule ever trigger?
I'll try to post the rule ASAP. My reasoning was that if there were no occurrences of the event in the specified time range, it would trigger at the end of the time range. Otherwise, why would the rule accept 0?
I'm not positive I understand what you're after. I think you mean to let you know that MARS is working correctly?
We do something similar, but we've automated it. The email is sent to a linux box where it is parsed and an alert generated if the results are not what we expect (we use this process to actually making sure that MARS has events from all the devices we think it should have events from).
I think you're on the right track by focusing on the inspection rules. What I would suggest is that you consistently generate your own events in MARS from another system. On Linux this could be as simple as using the logger command. If you automate this, you can conceivably do this as often as every 1 minute. Have the inspection rule look for that specific event.
To give you an idea how I might fully automate this...
1) on a linux system that already reports into MARS, create a cron job that runs the logger command with your custom message every 1 minute. this could be a bash script or perl or php...whatever.
2) in MARS create the inspection rule count = 1. Have a time range of 1 minute. use the keyword to only look for your custom message. have the action send an email to an account on a linux box that is only used for this purpose.
3) have a cron job(perl,shell,php,etc) on the linux server that runs every 1 minute and checks the modify or access time of the users mailbox (typically /var/spool/mail/
You've understood exactly what I'm trying to achieve : you've described something similar to what I've done to get around the problem in the meantime! Our monitoring system works on keepalives, so my approach was a bit different. I've configured the MARS box to send an email every 15 minutes if it captures at least another keepalive event from other linux servers that use the same type of mechanism. Of course, should the linux server go down I wouldn't really know whether the problem has occurred on the MARS appliance or on the linux servers.
I'm still tying to figure out how to use a zero value in the counter though.
"I'm still tying to figure out how to use a zero value in the counter though."
I've never tried it, but it seems like it would be an invalid count value. Could you use the "!=" operator for the event and a count of 1? That seems more likely to work.
I've created the rule with a != condition placed on the Event field with a count of 1. It's triggering every 10 minutes although I changed the period to 30 minutes! Another drawback is that it creates incidents with all the other events that respect the != condition.... It's not what I was looking for. I'm now thinking of somehow modifying the "INACTIVE REPORTING DEVICE" to report on a bogus device that I can create. How can you modify the period of time on this rule?
We performed a major migration of our infrastructure and now my keep-alive mechanism doesn't work anymore. I've verified that I can't apply the NOT EQUAL TO operator to the COUNT field : you can only define a number without any operator. Any new suggestions? I'd like to send a keep-alive email every 15 minutes. Thanks, Joe
I've temporarily solved the problem by :
1. duplicated the Inactive CS-MARS reporting device rule;
2. Created a reporting device that does not exist on my network with an address that I invented (let's say 10.10.10.10).
3. Modified the duplicated rule, setting the Destination IP = Invented IP
4. Modified the Description (KEEPALIVE) and the Action (sends email).
5. Modified the Time Range too (set it to 10 minutes), but this did not make a difference since the messages are sent out every hour. It appears the 60 minute time range on the Event Type = Inactive CSMARS reporting device is somehow fixed and cannot be changed.
It is only a temporary solution because the 60 minute time range is considered unacceptable although it's better than nothing.