TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
>I have the following configuration: > >Machine 1: Event Colector and Master Console >Machine 2: SQL (Master DataBase and Asset DataBAse) >Machine 3: Network Sensor (with two NIC one with IP 1.1.1.1 on external segment and >the other IP Internal) >Machine 4: Network Sensor (with two NIC one with IP 1.1.1.2 on external segment and >the other IP Internal) Sounds like they're not in stealth mode then, if each interface is assigned an IP address? You may wish to review that (not for this problem, just generally). >On other place I have two secondary consoles > >Machine 5: Secondary Console (W2K) >Machine 6: Secondary Console (Laptop with XP) >I have put the correct key from each console on the EventCollector and each >NetworkSensor. >All management keys and administartion keys are in the right place on each >sensor. You mean the console and event-collector public keys are in the right place? I didn't think that there were specific "management keys" or "administration" keys. >I can monitor all the sensor and EvenCollector from any Console (Machine 1, >Machine 2 and Machine 3) and I can "Revoke" and "Set Master Console" from >any Console too. >When I tested the ODBC connections from each console to Master DataBase and >Asset DataBase, the result was successfully. > >When I use the Machine 1 for monitoring the two sensors I see the event on >each sensor without problems. >But when I try monitoring the sensor from the others consoles I can�t see >any events on the sensor. This is very strange because I can connect to the >sensors from this consoles and I can "Revoke" and "Set Master console". But >I don�t see any data. Check each console GUI: View, Options, General tab, "Auto Monitor When Manage". Is it set? >When I review the log from the each server properties I don�t see any >strange messages. > >I only could see once the events from one sensor on the Machine 5 (Secondary >console), the data appeared very fast and in a large amount but afterwards >it stopped and no more events are displayed again. Perhaps you 'accidentally' selected to monitor it? >What file I should review for detect the problem, or what message do you >need for solve this case. I would try each console in turn and compare the different Status columns in the bottom "Managed Assets" window. Note, however, that these fields aren't always reliable (eg may take some time to reflect changes in status). You can go further by using "netstat -na" on the console(s) and event-collectors to see what sessions have been established. Also I presume you have a reliable way of generating alerts to test this? >On Each Sensor I have: >Three key from the consoles >one key from EventCollector >On the EventCollector I have: >Three key from the consoles You don't say which keys, or which directories they're in - not that i'd expect you to post the details here since they contain machine and user names... However if you can successfully connect to your sensors from machines 5 & 6 that implies to me that that bit's okay. >For this reason I can connect to the each sensors from any console (remenber >i hace three console one master and two secondary). But the Secondary >console display any events but the sensor appear like connect, and I can >apply policies, change policies, change responses and anything, for all >sensor but I can�t see events. > > >This is the problem I can�t see events. > >Regards. > Hope i'm not teaching you to suck eggs - difficult to be sure how familiar some of the posters here are with the actual product. Jason
