Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VMS 2.2/SecMon 1.2 Event Rules and E-mail

Hello,

I've set up an Event Rule to send me an e-mail when an alert matches. Unfortunately, the help file doesn't show any ${} variables for information such as type of signature matched, source or destination IP, or action taken. Can I insert this information into a message? If not, a mail message of the "a high level event has happened!" type is pretty useless.

Thanks,

Ben

6 REPLIES
Cisco Employee

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

You can do this but you need to write a script that'll grab the things like SigID, Src/Dest Address, etc out of the database.

Send me an email (gf@cisco.com) and what version of code you're running on your sensors and I'll send you everything you need to get it working.

New Member

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

You might as well post it, we're all going to want it.

New Member

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

I agree, please give this info to everyone. I'm running VMS 2.2. It's interesting that you guys have a fancy script, but no support in VMS 2.2. What's the story?

Cisco Employee

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

I would post it but it's quite large and easier for you to configure if I send you a html doc explaining what to do. FYI I have previously posted the v3.x script to this forum, the v4.x script is quite a bit larger though because v4.x sensors report there alerts in a completely different way (XML docs within SSL rather than the old PostOffice protocol).

As I said, send me an email and I'll gladly send you the stuff.

As for why it's not in the product, well, it will be. The developers didn't add email functionality into the original design, but have now recognised that a lot of customers want it and so are adding it into a future release. The script is simply a temporary work-around that'll do the same thing for you that I developed in the interim. There's nothing shady going on, just trying to make things a little easier for you guys. If anyone calls the TAC and asks for email functionality they'll get given the same script.

New Member

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

Could you please post the 3.x script? I actually had a case open on this and was told the only script they had was a cspm script that didnt work with the vms platform.

I already knew that since I had tried to modify it

If you could post the one that will work, that would be greatly appreciated.

thanks

Mike

Cisco Employee

Re: VMS 2.2/SecMon 1.2 Event Rules and E-mail

The v3.x script is in the old forum post here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee8fdd3/1#selected_message

remember that this will NOT work with v4.x sensors though, for that email me.

121
Views
0
Helpful
6
Replies
CreatePlease login to create content