I would love some advice on the best way to setup thresholds. Currently, when we get a "breakout" of events, after the fact, we setup a Threshold on that particular event. I'd love a way to have a "Global" threshold that would automatically kick in at a specified limit for any identical events. Thus far I haven't found any easy way to accomplish this and I'd hate to have to manually go through the existing Allow Filters we have and add the threshold to all of them manually.
Only problem is it doesn't discern between unique messages. It just sets a threshold on the number of messages coming through. I'd love something that would set the threshold on identical events so I don't get flooded with many duplicate events. This is more to appease on the higher ups that wants a quick solution to a problem that doesn't happen that often. I'm not sure how feasible a request it would be accomplish what I want. Thanks for the advice.
I notice this hasn't been updated since August 2010. However I want to revive this thread. I too would "love something that would set the threshold on identical events so I don't get flooded with many duplicate events."
I have the same concern that the threshold setup is global and may apply to too many events that we wouldn't want. In Windows systems alone, theres millions of combinations of event sources and ID #'s. To find and apply a threshold to each individual problem Event ID # and Source would be like finding a needle in a haystack. You would never catch all of the problem sources.
Hi Guys,
This is already possible with the existing threshold options. Our best practices explains this to some degree, but I will try to explain here as well:
http://www.netikus.net/software/eventsentry/best-practises/HTML/index.html?eventlogsecurityalertsexample2.htm
You can configure the threshold options to be as specific as you'd like, by utilizing the "Threshold Options" feature. By default, the threshold feature works on every event that passed through the filter.
As such, it can be too generic, since it could potentially apply to audit failures and system events at the same time.
I'll explain this with an example. Let's say our threshold is configured to send up to 20 events per 10 minutes. Then, we want to still keep one notification filter that forwards events to email, but have separate thresholds depending on the event log. That is, if 30 Audit Failures occurred in the security log on a server (and thus cap events after 20), then you would still want to receive alerts from the system log - basically have each event log use their own threshold counter.
The way to accomplish this would be to set the Threshold Options to "Event", and then only check the "Log" check box. Now, even though you only have one threshold configuration, thresholds are essentially grouped on the log they occur in.
On the other extreme, you can make this even more specific by checking more event log properites, e.g.: Log, Source and ID.
With that configuration, the log, source and id would create a unique event combination, each of which would have their own threshold counter.
Application:EventSentry:12105
would be one combination. That is, if 30 events with that combination are generated, then only 20 of them will pass through. However, the event combination
Application:EventSentry:12155
will get their own threshold, so if 30 events of this occur at the same time, then the first 20 will be let through as well.
Now some systems generate the same event id regardless of the type of event it is, they can only be distinguished by the content. In that case, you will need to make sure you check the "Text (Details)" check box. Then, every event with a unique text will get their own unique threshold counter. Use this with care, don't activate this for filters that process a lot of unique events (e.g. Audit Success), as it can potentially slow filter processing down.
I hope this helps!
It looks like you're new here. If you want to get involved, click one of these buttons!