Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
1
Replies

Why not all alarms, events.. are displayed in Alarm-submap in the Director

thanhlv
Level 1
Level 1

‎04-14-2002 07:32 PM - edited ‎03-08-2019 10:18 PM

I configured the sensor( sensor.netsoft) to send the errors, commands, events, ... to the smid daemon in the director (ids.NETSOFT), but all of the events are displayed in the alarm-submap of the sensor although the event logfile in the director has similar content of the sensor's.

Here is the configuration of destination file of the sensor.

1 sensor.netsoft loggerd 1 ERRORS,COMMANDS,EVENTS,IPLOGS

2 ids.NETSOFT smid 1 ERRORS,COMMANDS,EVENTS,IPLOGS

3 sensor.netsoft smid 1 ERRORS,COMMANDS,EVENTS,IPLOGS

4 ids.NETSOFT loggerd 1 ERRORS,COMMANDS,EVENTS,IPLOGS

5 ids.NETSOFT eventd 1 ERRORS,COMMANDS,EVENTS

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎04-15-2002 07:55 AM

The default settings for the Unix Director are to only show level 3,4 or 5 alarms in OpenView.

Level 3 = Yellow Alarms

Level4 and 5 = Red Alarms

For more information refer to step 3 of the following link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/intro.htm#xtocid414518

As a side note, it looks like your destination file on your sensor could cause some problems.

1 sensor.netsoft loggerd 1 ERRORS,COMMANDS,EVENTS,IPLOGS - this line is fine

2 ids.NETSOFT smid 1 ERRORS,COMMANDS,EVENTS,IPLOGS - remove IPLOGS from this entry, smid does not do anything with the IPLOGS so you are sending unnecessary data

3 sensor.netsoft smid 1 ERRORS,COMMANDS,EVENTS,IPLOGS - remove this whole entry, there is no smid daemon on the sensor to send events to, this will cause errors in errors.postofficed

4 ids.NETSOFT loggerd 1 ERRORS,COMMANDS,EVENTS,IPLOGS - You likely do not need this line. Smid on the director is configured by default to send copies of it's alarms to loggerd on the director (a DupDestination line for loggerd in the smid.conf file). If you have not removed that line from smid.conf then you are sending duplicate alarms to loggerd on the director. You will need to either remove the DupDestination from with smid.conf or remove this destination entry.

5 ids.NETSOFT eventd 1 ERRORS,COMMANDS,EVENTS - Smilar to the line above, be sure that there is a not a DupDestination entry for eventd in the Director's smid.conf file in order to prevent duplicate alarms.

0 Helpful
Customers Also Viewed These Support Documents