RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db

[Cloonan, John (ISS Cincinnati)]

Title: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db

 

If you do not mind having Server Sensor simply ignore the event you can do so using the Trusted_User_List or local exceptions.

 

Refer to the Server Sensor documentation or to the following whitepaper for complete instructions.

http://www.issadvisor.com/viewtopic.php?t=204&highlight=customizing

 

thanks,

John

*******************************************************
John Cloonan
Product Manager
Internet Security Systems
*******************************************************

 

---

From: [EMAIL PROTECTED] On Behalf Of O'Flynn, Derek
Sent: Friday, January 23, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db

Call ISS and ascertain if you can rewrite the event to exclude logins occurring from the Tivoli server IP.  Or see if they can rewrite the event to exclude the Tivoli Username.

Derek

-----Original Message-----
From: Calvin Tait [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 22, 2004 8:31 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Tivoli introduced into RS environment...overflowing console and db

Hello,
I've been running Real Secure Server Sensors on all our servers for a few
years.  Yesterday, a separate tool, Tivoli, was turned up in the
environment.  Tivoli requires a W2K server administrator account to run.
The Tivoli agent logs in 6 times locally every 2 minutes to kick off
programs.  Each login triggers two alerts:

1. User login with admin privileges
2. User logon with special admin privileges

These two alerts pop up for every sensor * 6 * # of servers in each farm.
It fills 4 gigs of database space every hour and floods the console to the
point it's useless.
I can't disable the alerts because we are required to have them and store
them for a period of time for due diligence.  I work for a large financial
institution and every admin login must be recorded and saved.  Has anyone
ever used Tivoli in an environment that co-existed with Tivoli?  I can't
find a single discussion on the net or in both product knowledge bases.  I
do not use Tivoli to with the Real Secure Plug-in.  The operate
independently of each other.  Any help would be greatly appreciated!!!!  I'm
at wit's end.  I can't delete the excess rows in the db as fast as they are
coming in.

Thanks!!!
R
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo