How to use Event Forwarding to send "incidents" to another Symantec Security Information Manager (SSIM) Server

book

Article ID: 177554

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You want to send events to be correlated from one SSIM server to another SSIM Server without using Service Provider mode.

 

Cause

There is no option to only send incidents, what you need to do is send all the events again to be correlated again. This setup is generally used when you only have 2 appliances:

one collecting/archiving and the other correlating only

or

one correlating/archive/collection and one as a backup correlating only. (archive being written to external storage.)

Resolution

If you are not using Service provider mode, the following needs to be done to do send events to be correlated again as incident from one SSIM Server to another:
 

Go to System tile -> Appliance Configurations
Expand the SSIM Server you want to forward incidents from.
Go to Event Forwarding Rules -> Create a new Event Forwarding rule.
In the new rule properties, enter the following:
· Rule Name
· The hostname or IP address of the SSIM server the incidents will be sent to
· Select the service to forward to, use ‘Correlation Service’, which uses port 10010.


Save/Apply.


Technical Information
If you want to forward incidents in a Service provider mode go to http://www.symantec.com/docs/TECH91012

 

In version SSIM 4.7.1 a new option was added to use an internal Service Provider mode. This would now be a more recommended setup, the configuration above should be used for SSIM 4.6 only.