How to setup email Notifications in Symantec Security Information Manager v4.5 / v 4.6 / v4.7

book

Article ID: 177375

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction



 

Resolution

Detailed information about notification configuration is available through various sections  in the Administration guide.   The following is a summary of the steps to setup email notifications:

 

  • Notifications can be configured to send directly to a particular email address, or to a user. If you select a user, that user must have their email notifications configured.
    From the SSIM console:
    System - Administration - Users - <Select a User> - Notifications tab
    Add an email address and select the dates and times that the user should receive notifications by each particular method. (For testing purposes leave all the selection boxes checked until you have confirmed your notifications are working, then you can adjust notification methods for users if they need messages sent to a different address on the weekend for example.)
     
  • Manager Components Configuration - You must configure the manager and provide it with email server details.
    From the SSIM console:
    System - Product Configurations - SESA Agent (4.5) <or> SSIM Agent And Manager (4.6) - Manager Components Configuration
    Create a new configuration by right clicking "Manager Components Configuration" and choosing New. Add the appliance itself to this configuration, it is the appliance that sends the email notification and therefore needs to have this configuration distributed to it, not collector machines.

    Select the Notifications tab
    Populate all the fields.
    Note: There is no field for a password. SSIM does not support email notifications sent to email servers that require a password. If your email server requires a password you will see authentication errors in the notification logs. (see below).  You cannot use internet mail servers such as Hotmail or Yahoo, and if necessary your email administrator will need to give you a host name or email address for an internal relay mail server.

Populate fields on any additional tabs that you may require.

  • Rule - To test notification set up a Rule that is certain to fire, and add a notification to that Rule.
    From the SSIM console:
    Select Rules - Correlation Rules - User Rules
    Add a new rule called "TestNotify"
    Add an Event Criteria -
    "Severity ID = 1 - Informational"
     

Select the Actions tab
In the description add some text (optional)
In the notification section check the "Enabled" box, and select recipients. You can only select a user if you have enabled notifications for that user (see above)

Click "Deploy to Server" from the toolbar at the top.

Note: The rule you just created will fire frequently. Once you have confirmed your email notifications are working you should disable and/or delete this rule.

  • Log location - Any problems with the notification service are logged on the appliance in the following log files:
    In SSIM 4.5 the log file is called notification.log and is located in /opt/Symantec/simserver/notification/logs
    In SSIM 4.6 the log file is called notificationsvc.log and is located in /opt/Symantec/simserver/logs
    In SSIM 4.7 the log file is called notificationsvc.log and is located in /opt/Symantec/simserver/logs

Please refer to the following KB in order to enable debug logging for the notification service.
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009110520111554


Attachments