ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Custom Syslog Event Configuration and alert filtering in Spectrum to remove unwanted alarms

book

Article ID: 236894

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

How can the event rules be configured so that a particular event will not trigger the alert.

Scenario:

When undertaking a security scan on a network device, the device triggers the alarm 'A CRITICAL SYSLOG EVENT HAS OCCURRED', cause code 0x21001c:

From the event, it is caused by the scan with reason: Login Authentication Failed.

Question:

How can the event rules for this 0x21001c event be configured so that only this login failed trap will not trigger the alert?

Environment

DX NetOps Spectrum release 20.2 or later

Resolution

The 0x21001c event has the following description located in the message body:

[Reason: Login Authentication Failed].

Looking at the event message, the variable that represents this is the third, which would be written as: 

{v 3}

You can then do a string comparison on this variable (strcmp) in the event rules for it. For example:

if strcmp({v 3} {S “Login Authentication Failed”}) evaluates to TRUE, then generate <EVENT> 

Where <EVENT> represents a new custom event which does not raise an alarm.

Attachments