Thanks Calvin
From: "Cloonan, John (ISS Cincinnati)" <[EMAIL PROTECTED]>
To: "O'Flynn, Derek" <[EMAIL PROTECTED]>, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Date: Mon, 26 Jan 2004 09:05:30 -0500
MIME-Version: 1.0
Received: from mc4-f30.hotmail.com ([65.54.190.166]) by mc4-s14.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 27 Jan 2004 12:19:58 -0800
Received: from cti50hub.vcp.advcp.br ([200.245.57.50]) by mc4-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 27 Jan 2004 12:19:55 -0800
Received: from anc50vcp.vcp.advcp.br ([10.16.225.96]) by cti50hub.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 18:19:58 -0300
Received: from mail pickup service by anc50vcp.vcp.advcp.br with Microsoft SMTPSVC; Tue, 27 Jan 2004 18:19:45 -0300
Received: from cti50hub.vcp.advcp.br ([10.16.8.99]) by anc50vcp.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 13:15:55 -0300
Received: from atla-mm1.iss.net ([209.134.161.13]) by cti50hub.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 13:15:50 -0300
Received: from atla-mm1.iss.net (localhost [127.0.0.1])by atla-mm1.iss.net (8.12.10/8.12.2) with ESMTP id i0RE4g7t021385;Tue, 27 Jan 2004 09:04:42 -0500 (EST)
Received: from atlmaiexcp06.iss.local (atlmaiexcp06.iss.local [209.134.160.245])by atla-mm1.iss.net (8.12.10/8.12.10) with ESMTP id i0QE5VW1016213for <[EMAIL PROTECTED]>; Mon, 26 Jan 2004 09:05:32 -0500 (EST)
Received: from atlmaiexcp01.iss.local ([209.134.160.240]) by atlmaiexcp06.iss.local with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 09:05:31 -0500
X-Message-Info: JGTYoYF78jHpBZNXD/mne4jBqlYW4qEZ
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Thread-Index: AcPkE7QRsF3zju3SQNyX4wSmQDBAwAAATpqQ
X-OriginalArrivalTime: 26 Jan 2004 14:05:31.0094 (UTC) FILETIME=[755C5F60:01C3E415]
Errors-To: [EMAIL PROTECTED]
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.0.8
Precedence: bulk
List-Help: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>,<mailto:[EMAIL PROTECTED]>
List-Id: ISS Forum <issforum.iss.net>
List-Unsubscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>,<mailto:[EMAIL PROTECTED]>
List-Archive: <https://atla-mm1.iss.net/mailman/private/issforum/>
Return-Path: [EMAIL PROTECTED]
If you do not mind having Server Sensor simply ignore the event you can do so using the Trusted_User_List or local exceptions.
Refer to the Server Sensor documentation or to the following whitepaper for complete instructions. http://www.issadvisor.com/viewtopic.php?t=204&highlight=customizing
thanks, John
******************************************************* John Cloonan Product Manager Internet Security Systems *******************************************************
_____
From: [EMAIL PROTECTED] On Behalf Of O'Flynn, Derek Sent: Friday, January 23, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Call ISS and ascertain if you can rewrite the event to exclude logins occurring from the Tivoli server IP. Or see if they can rewrite the event to exclude the Tivoli Username.
Derek
-----Original Message----- From: Calvin Tait [mailto:[EMAIL PROTECTED] Sent: Thursday, January 22, 2004 8:31 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Hello, I've been running Real Secure Server Sensors on all our servers for a few years. Yesterday, a separate tool, Tivoli, was turned up in the environment. Tivoli requires a W2K server administrator account to run.
The Tivoli agent logs in 6 times locally every 2 minutes to kick off programs. Each login triggers two alerts:
1. User login with admin privileges 2. User logon with special admin privileges
These two alerts pop up for every sensor * 6 * # of servers in each farm. It fills 4 gigs of database space every hour and floods the console to the point it's useless. I can't disable the alerts because we are required to have them and store them for a period of time for due diligence. I work for a large financial institution and every admin login must be recorded and saved. Has anyone ever used Tivoli in an environment that co-existed with Tivoli? I can't
find a single discussion on the net or in both product knowledge bases. I do not use Tivoli to with the Real Secure Plug-in. The operate independently of each other. Any help would be greatly appreciated!!!! I'm at wit's end. I can't delete the excess rows in the db as fast as they are coming in.
Thanks!!! R _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
_________________________________________________________________
There are now three new levels of MSN Hotmail Extra Storage! Learn more. http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
