Re: newbie question on alerts

0sgruttadauria · ‎07-02-2001

I configured a sensor / director to TCP reset matched strings, and it works fine. However, it never updates the openview map with an alert. The map does log a number of valid alerts, but I can't get it to update real-time.

I have changing loggerd and smid values. Is there something else that needs to be configured on the director?

Thanks.

marcabal · ‎07-02-2001

By default only severity level 3,4 and 5 alarms will be placed in the openview map, level 1 and 2 alarms are logged on the sensor.

So if you created a new string match signature then did you change the severity level to 3 or higher?

Also it could be that the openview map you are looking at is ReadOnly. Only the first openview map opened is Read/Write, and the map must be Read/Write for new alarms to appear.

0sgruttadauria · ‎07-02-2001

Thanks - I did set the severity levels for the match.

The only map attributes I could find (for the default map) is set to read/write. I am wondering if the smid process is configured correctly. The smid.conf only shows an entry for loggerd, not smid, but the documentation I have is not very detailed.

marcabal · ‎07-02-2001

The bottom left of the map window should say "default (Read-Write)".

I can take a look at your configuration if you would like.

You can send the following files directly to me here at Cisco:

From the sensor:

/usr/nr/etc/hosts

/usr/nr/etc/packetd.conf

/usr/nr/etc/destinations

/usr/nr/etc/daemons

From the director:

/usr/nr/etc/destinations

/usr/nr/etc/smid.conf

/usr/nr/etc/daemons

Also if you could generate a String Match alarm, as well as a normal alarm.

See if the normal alarm shows up in openview.

Then send me the /usr/nr/var/log. file from the sensor which contains the alarms, and the /usr/nr/var/log. file from the director that contains the alarms.