You can create a trigger event in the database on the table that holds
the status information and then have SQL Server send you an email...at
least that's how I did it prior to coming to ISS. You can use something
similar to this:
-- =============================================
-- Trigger for emailing Component status changes
-- Author: Eric Lewis, Technical Security Officer
-- =============================================
SET NOCOUNT ON
GO
CREATE TRIGGER trig_EricLewis
ON dbo.Component
FOR UPDATE
AS
IF UPDATE(Status)
BEGIN
DECLARE @sensornm1 nvarchar(100)
DECLARE @statusdsc1 char(40)
DECLARE @delstatusdsc1 char(40)
DECLARE @sensortotal1 varchar(140)
SET @sensornm1 = (SELECT SensorName FROM Inserted)
SET @statusdsc1 = (SELECT StatusDesc FROM Inserted,dbo.ComponentStatus
WHERE Status=StatusValue)
SET @delstatusdsc1 = (SELECT StatusDesc FROM
Deleted,dbo.ComponentStatus WHERE Status=StatusValue)
SET @sensortotal1 = @sensornm1+' '[EMAIL PROTECTED]
IF @statusdsc1 != @delstatusdsc1
exec sp_send_cdontsmail
'[EMAIL PROTECTED]','[EMAIL PROTECTED]',@sensortotal1,'Please
check sensors!'
END
GO
-------------------------------------------------------
You should build some error checking into it or thresholds to prevent
getting flooded with emails just in case something goes haywire. Also,
this is an old version of the trigger I built so since the database
schema has changed I haven't verified these are the correct tables. The
nice thing about this trigger is that you can also see when your
Internet Scanners start and stop their scans. If you only want to see a
certain group of sensors then you'll need to exclude them. A good
example of this is that you probably don't want to see everytime a
desktop sensor changes status especially in a large environment. I
believe that ISS is building this type of alerting into future service
packs of SiteProtector.
Eric S. Lewis, CISSP, CEH, NSA IAM, CCSA, MCSE
Senior Systems Engineer
Internet Security Systems
Office 703.925.2013
Cell 703.582.5521
Fax 703.925.2019
-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Nicholas Cross
Sent: Tuesday, May 24, 2005 4:46 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Alert on sensor "Not Responding"
How can I setup ISS SP2.0 to alert whenever a sensor is seen as "Not
Responding" in the console view?
We have a number of NIDS that occassionally fail, but the issDaemon and
issCSF et al. serives are still running on the NIDS, but the events are
not being sent back to the console. It would be of benefit if we could
be alerted to this fact via SNMP.
Or are we looking at a shell script to capture the heartbeat/stats
events and to determine whether one has been seen in the last 10mins or
so? We have all the alerting turned on, in the event collector
prefences at the moment.
How does everyone else do this on the list?
best regards,
Nick.
yes, i didnt email from my work account ;-) I am that paraniod
_______________________________________________
ISSForum mailing list
[email protected]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
[email protected]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
