That didn't really answer my question. I guess the part of the manual I'm confused about is this wording.

The EventAlarmInterval token specifies how much time, in seconds, that Cisco IDS waits before sending a second notification on alarm activity that meets the event script's conditions.

From this wording I'm not sure which protocol to follow.

Example:

EventAlarmTheshold=1

EventAlarmInterval=300

Now if event comes in of level 5 say signature 6059 it should pass the event to the pre-defined event script. If another signature comes in of level 5 in 20 seconds is that then passed to the event script ? Or does nothing else of level 5 get passed to the pre-determined event script until 300 seconds have passed. Or do I have this wrong and if you set your EventAlarmThreshold to 1 only is it useless to use eventd since it's power is in sending an alert once a certain threshold has been reached.

The best way to demonstrate how this works is by an example:

Let's say my /usr/nr/etc/eventd.conf has the following:

------------------------------------------------------------------------

EventApplication 1001 3 /usr/nr/bin/eventd/event

EventAlarmThreshold 1,3,867

EventAlarmInterval 300

NOTE: The Threshold can contain a comma delimited list. In the example I have three thresholds, I do not know if there is a limit to the number of thresholds.

-----------------------------------------------------------------------

Part of configuring eventd for emails is also configuring the /usr/nr/bin/eventd/event.conf file which is read by the /usr/nr/bin/eventd/event script referenced by the EventApplication token above.

So my event.conf file might have the following:

----------------------------------------------------------------------

Organization 100

4 3 - - user1@company.com

4 4 - - user2@company.com

--------------------------------------------------------------------

Now I receive the following alarms:

- Level 3 alarm for signature 3030 from sensor1 in org 100

Eventd will see this as an alarm which could go to the event script for emails.

So it starts a timer at time 0.

Then it starts counting the alarms, and this alarm is number 1.

It checks the threshold and sees that alarm number 1 is in the Threshold.

SO it executes the event script for emails.

The event script reads the event.conf file and sees that the org of 100 on the alarm matches the org of 100 in the conf file, and then it sees that level 3 alarms generate emails to user1.

So event sends an email to user1.

- 10 seconds later there is a level4 alarm 4001 from sensor2 in org 500

Eventd will see this as an alarm which COULD go to the event script for emails.

It sees that the timer is already going and is now at 10 seconds.

10 is less than 300 so it continues the previoud count and this alarm becomes number 2.

****NOTE: the alarm is a different severity, a different signature, a different sensor, and even a different org, but eventd doesn't care. It still increments the same counter.

It checks the threshold and sees that alarm number 2 is not in the Threshold.

SInce alarm number 2 is not in the Threshold it is done with this alarm.

- 5 seconds later there is a level5 alarm 5063 from sensor3 in org 100

Eventd will see this as an alarm which COULD go to the event script for emails.

It sees that the timer is already going and is now at 15 seconds.

15 is less than 300 so it continues the previoud count and this alarm becomes number 3.

It checks the threshold and sees that alarm number 3 is in the Threshold.

SO it executes the event script for emails.

The event script reads the event.conf file and sees that the org of 100 on the alarm matches the org of 100 in the conf file, and then it sees that there is no configuration entry for level 5 alarms in the event.conf script so it does NOT send any email.

NOTE: For an email to be sent, eventd must have an alarm that matches that threshold within that interval which causes eventd to run the event script. Then the alarm's sensor organization and severity must match for the event script to generate an email. (Note: the source and destination direction of IN, OUT or "-" for either must also match).

So since there wasn't a configuration line in event.conf for level 5 alarms there will be no email even though the event email script was executed.

- now let's say in the next 250 seconds I get 863 alarms of level 3 or higher of different signatures and different sensors and organizations.

Each will continue the timer and increment the count but will not equal the threshold of 1, 3, or 867.

- now let's say the next alarm is level 4 and comes in 30 seconds later from sensor4 org 100.

Eventd will see this as an alarm which COULD go to the event script for emails.

It sees that the timer is already going and is now at 265 seconds.

265 is less than 300 so it continues the previous count and this alarm becomes number 867.

It checks the threshold and sees that alarm number 867 is in the Threshold.

SO it executes the event script for emails.

The event script reads the event.conf file and sees that the org of 100 on the alarm matches the org of 100 in the conf file, and then it sees that level 4 alarms generate emails to user2.

So event sends an email to user2.

- now 30 seconds later a level 2 alarm comes in from sensor1 in org 100.

The alarm severity is too low for the event script severity so it is simply ignored.

- now 10 seconds later a level 3 alarm comes in from sensor1 in org 100

Eventd will see this as an alarm which could go to the event script for emails.

The previous timer is now at 325 which is higher than 300 so it resets the timer back to 0.

It also resets the counter and this alarm number is now 1.

It checks the threshold and sees that alarm number 1 is in the Threshold.

SO it executes the event script for emails.

The event script reads the event.conf file and sees that the org of 100 on the alarm matches the org of 100 in the conf file, and then it sees that level 3 alarms generate emails to user1.

So event sends an email to user1.

-------------------------------------------------------------------------------------

Things to keep in mind:

1) The consolidation by eventd is on a per script basis for all messages of that severity or higher no matter the signature number, sensor, or organization.

NOTE: I say messages, because even commands and errors can generate messages and have severities. by default the commmands and errors are severity 1 so usually just get ignored, but that is not always the case. To prevent errors and commands from causing problems do send errors and commands to eventd.

2) Eventd will execute the script when the alarm count for that script equals one of the threshold settings.

NOTE: Thresholds are a global setting but I believe the count itself is per script, but I am not positive on that.

3) For the event script to send an email the organization, severity, source, and destination must match the entry in event.conf.

Additional Question:

What if I have multiple organizations?

You can edit the event script and find the line which checks the organization and comment it out.

Or

1) Copy the event script to "event-orgnumber" where orgnumber equals the specific orgnumber.

2) Copy event.conf to "event-orgnumber.conf"

NOTE: The script looks for a configuration file by the same name with a .conf extension.

3) Manually edit the event-orgnumber.conf file, and set the orgnization entry

4) Add a new EventApplication line in eventd.conf for the new event-orgnumber script.

5) nrstop

6) nrstart

NOTE: I really suggest editing the event script, it is much easier in the end, but be sure to make backup copies before and after your edits.

Thank you. I believe I have a clear understanding of the abilities in eventd now.