Administration Guides

Eyeglass Alarm forwarding Guide - Syslog and Legacy SNMP

Home

Overview:

Alarms can be forwarded over syslog or SNMP.   We recommend syslog as SNMP is a legacy protocol with less capabilities.   This guide explains how to filter and then forward alarms matching certain criteria.    This guide contains the most common examples of how to filter by application or by severity of the alarms.


NOTE: Only configure syslog forwarding OR snmp but not both.   If you require both contact support.


Limitations

  1. Syslog and SNMP are limited in what information can be sent to these protocols.   Email alerts will contain more information not available over Syslog and SNMP due to protocol limits.
  2. The intent of SNMP or Syslog forwarding is to make basic alarm type and severity, and detailed alarm data available in the GUI or via email that supports more text and attachments.  This alarm solution provides notification of an alarm, the application that generated it, and the severity.
  3. Only the documented forwarding solutions below are supported.   


Deprecation Notice

  1. NOTE: /var/log/messages will be deprecated and no longer supported in an up coming release as a log to use for forwarding alarms. In a release 2.5.7 syslog will not be used and dedicated alarms log with syslog-ng.



Supported Alarms

  1. Eyeglass alarms listed here

Requirements:

  1. Eyeglass OVF version 2.5.6 or greater. Open suse 15.1 or later.  Upgrade to the latest OVF if required with the guide here.
  2. Place the SUPERNA-EYEGLASS-MIB file onto your SNMP trap management station.  It will be located here on the appliance /opt/pygls/lib/python3.6/site-packages/pygls/mibs


Configuration of SYSLOG Forwarding - > 2.5.7

  1. The new alarm architecture will use a dedicated log that will roll over and provide alarm history external from the database and alarm history available in the GUI.  Release 2.5.7 or later is required.
  2. README FIRST: If upgrading from a previous release or had configured < 2.5.7 syslog forwarding.  You must replace the entire configuration with the example below.  
  3. Review all the filter examples to match your requirement and replace the filter with one of the following scenarios.
    1. How to Filter by Severity, Application, or Alarm codes (recommended)
  4. Log location
    1. /opt/superna/sca/logs/igls_alarms.log
  5. Configure Syslog Forwarding
    1. Ssh to the appliance as admin user
    2. Sudo -s
    3. Enter admin password
    4. nano /etc/syslog-ng/conf.d/superna.conf
    5. The example below is going to forward specific ransomware defender events.
      1. Paste the text below into the file and change the text as follows:
      2. replace x.x.x.x with the ip address of the syslog server ip address you want to forward messages

                               filter  f_superna {

                                         message("RSW0002") or message("RSW0011") ;

                                 };

source igls_src { file("/opt/superna/sca/logs/igls_alarms.log"); };

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(igls_src);

    filter(f_superna);

    destination(logserver);

};

  1. After making changes syslog must be restarted to have the changes take effect
    1. systemctl restart syslog-ng
  2. Check that its running
    1. systemctl status syslog-ng
  3. It should show active running state
  4. done

Configuration of SYSLOG Forwarding - Legacy Deprecated < 2.5.7


  1. Ssh to the appliance as admin user
  2. Sudo -s
  3. Enter admin password
  4. nano /etc/syslog-ng/conf.d/superna.conf    (use vim on 42.3 OS)
  5. Paste this text into the file and change the text as follows:
    1. replace x.x.x.x with the ip address of the syslog server ip address you want to forward messages

filter f_superna {

    message("Severity:CRITICAL") or message("Severity:WARNING") ;

};

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(src);

    source(chroots);

    filter(f_superna);

    destination(logserver);

};

  1. After making changes syslog must be restarted to have the changes take effect
    1. systemctl restart syslog-ng
  2. Check that its running
    1. systemctl status syslog-ng
  3. It should show active running state
  4. done

How to Filter and Forward alarms

This section provides examples of how to filter for alarms to forward to syslog.

How to forward by alarm Severity

To combine multiple Alarm severities or combine message strings see example below:

.

filter f_superna {

    message("Severity:CRITICAL") or message("Severity:MAJOR") ;

};



How to Forward by Alarm code (Recommended and Supported Method)

Use this filter example to the best option to forward exactly the alarms you need using the alarm code guide.  All possible alarms are listed and provides the best option to simplify forwarding exactly the alarms you need to external systems.  Get the Alarm codes and use them in the filters.

filter f_superna {

    message("RSW0002") or message("RSW0011") ;

};


How to Filter by Application

Each Eyeglass application has an alarm code to easily forward alarms based on the prefix.

  1. Ransomware Defender prefix - RSW
  2. Easy Auditor Prefix - EAU
  3. DR - SCA


How to Forward Ransomware Defender User Lockout and Restored Alarms Except for Security Guard Alarms

In the example below 2 commonly used Ransomware Defender alarms are needed.

  1. User locked out is RSW0002
  2. User access restored is RSW0011
  3. NOTE: Replace the yellow highlight with the security guard service account that you have configured.

filter f_superna {

    (message("RSW0002") or message("RSW0011"))  and not message("igls-sg") ;

};

This example forwards all Ransomware Defender and Easy Auditor alarms

filter f_superna {

    message("RSW") or message("EAU") ;

};



This example forwards all Ransomware Defender alarms Except for Security Guard alarms

NOTE: Replace the yellow highlight with the security guard service account that you have configured.


filter f_superna {

           (message("RSW")) and not message("igls-sg");


How to Integrate Ransomware Defender Events with a SIEM

  1. The syslog message alarms generated by Ransomware Defender when a user is detect with Ransomware an alarm includes details with user ID, ip address and a subset of some of the files that were detected. The ip address can be used in a SIEM trigger to find the Ethernet port of the IP address and disable the port.  See the example message format below.
  2. Use the yellow highlighted sections below to build your parsing and trigger to capture the user name and PC IP address.  Using this information build a trigger in your SIEM to take action on the Ethernet port the PC is connected.
  3. [DEBUG] IGLS_ALARMS:168 - Eyeglass, , Event: 2021-02-26 19:28:23.916, AID:AD02\sgdemo, Port:Nil, Type:null, EntityType:, Extra Data:{"clientIps":"172.31.1.65","info":"Successfully locked out user AD02\\sgdemo"}, Description:Locked user access.172.31.1.65, NSA, Severity:CRITICAL, Impact:false, Category:RSW0002 

Syslog format examples to be used for Parsing with a Syslog server -- > 2.5.7

How to search the Eyeglass appliance logs for examples of syslog alarm formatting

  1. Login to eyeglass vm over ssh as admin
  2. cat /opt/superna/sca/logs/igls_alarms.log

Example alarm formats

[DEBUG] IGLS_ALARMS:168 - Eyeglass, , Event: 2021-02-26 20:15:23.983, AID:\ifs\data\dfsdata\dlp\, Port:Nil, Type:null, EntityType:, Extra Data:{"reason":"There is no smart quota for /ifs/data/dfsdata/dlp/ limited by a Data Loss Prevention threat detector. no limit is enforced."}, Description:There is no smart quota for a path limited by a Data Loss Prevention threat detector , NSA, Severity:MAJOR, Impact:false, Category:EAU0005 

[DEBUG] IGLS_ALARMS:168 - Eyeglass, , Event: 2021-02-26 19:28:14.496, AID:AD02\sgdemo, Port:Nil, Type:null, EntityType:, Extra Data:{"clientIps":"172.31.1.65","event severity":"CRITICAL","user name":"AD02\\sgdemo","affected files":"\\\\prod8\\System\\ifs\\igls-securityguard\\igls-securityguard-test-file-1614385692201.iglsrswtest","affected Isilon clusters":["prod8"],"detectors":"THREAT_DETECTOR_06","number of affected files":"1","info":"Lockout required."}, Description:Ransomware event received. Event severity: CRITICAL, user: AD02\sgdemo172.31.1.65, NSA, Severity:CRITICAL, Impact:false, Category:RSW0001

[DEBUG] IGLS_ALARMS:168 - Eyeglass, , Event: 2021-02-26 19:28:23.916, AID:AD02\sgdemo, Port:Nil, Type:null, EntityType:, Extra Data:{"clientIps":"172.31.1.65","info":"Successfully locked out user AD02\\sgdemo"}, Description:Locked user access.172.31.1.65, NSA, Severity:CRITICAL, Impact:false, Category:RSW0002

How to Trouble shoot SYSLOG Forwarding

  1. enable verbose logging
  2. ssh to eyeglass as admin
  3. sudo -s (enter admin password)
  4. syslog-ng-ctl verbose --set=on
  5. Check the statistics of the forwarding to the logserver label (this is the name assigned to the destination in all the examples)
  6. syslog-ng-ctl stats | grep logserver
    1. If the counters are not incrementing or show zeros it means nothing has matched your filter and nothing was forwarded to your destination 
  7. Reset the stats to zero to test forwarding again to help trouble sheet the processed counter incrementing
    1. syslog-ng-ctl stats --reset 

How to use packet capture to see syslog messages sent to your target syslog server

  1. Use this command to monitor any udp syslog messages sent based on matching alarms
  2. Login as admin
  3. sudo -s (enter admin password)
  4. Replace x.x.x.x in the command below with the ip address of your syslog server configured in the above settings file /etc/syslog-ng/config.d/f_superna.conf.   This command will NOT display any data until a packet is sent to your syslog server based on the matching logic configured in your filter.  Leave the command prompt running and continue to the next step.
    1. tcpdump -nnAs0 -i eth0 udp port 514 -v | grep -A 2 "x.x.x.x"  
  5. Open new ssh session as the admin user leaving the other session running
  6. run the random test alarm command, this command will create a random alarm (NOTE: The random alarm may not match your filter logic, adjust your filter logic to match on severity using the example above following all steps to edit the file and restart syslog-ng)
  7. Run this command below several times until you see a packet appear in the first ssh session that is packet capturing all packets sent to your syslog server.  This will help troubleshoot your filter and allow monitoring in realtime for any packets that are sent.   
    1. igls test AlarmTest 
    2. You may also run this command to verify any matches processed by Syslog-ng filter logic
    3. syslog-ng-ctl stats | grep logserver
  8. Repeat the test command and stats command to verify your forwarding is working.  Check your syslog server to verify the messages are appearing after you have verified the stats and packet capture show successful packets are sent.
  9. Done. 




Configuration of SNMP Forwarding - Legacy

  1. $ exec bash -l  (to reload your Bash session to pick up new environment settings)
  2. $ sudo -E pygls-snmptrap --setup (to add the required entries to the syslog-ng configuration, and to configure the SNMP settings, you can re- run this command to change settings or edit this file /opt/superna/sca/conf/snmptraps.ini)
  3.  We need to specify the following

Server Address

IP Address of the SNMP Receiver

Port

Port number (Default 162)

SNMP Engine ID

SNMP Engine ID for SNMPv3

SNMP Version

Default 2c

Community String

Default public

Example:

Server Address: 172.22.22.29

Port: 162

SNMP Engine ID:

SNMP Version: 2c

Community String: public

4. To customize what is sent to SNMP trap destination follow instructions below for filtering based on alarm content

5.  The default configuration will forward all alarms to the SNMP destination.


How to send a test SNMP Trap

$ pygls-snmptrap --test (to test sending snmp message to snmp receiver - verify this test message is received on SNMP server)

SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = Superna Eyeglass Syslog-NG SNMP Notification Test Message

  1. NOTE: by default the log filter will send all messages as traps.  This will be a lot of traps messages.
  2. It is recommended to replace the default with a specific filter of alarm severity.  See next section below.

How to configure SNMP alarm Forwarding - Legacy

This explains how to select log message text to forward to SNMP. This can be used to send only INFO, Warning or Critical events.  This can also be used to send specific events example Ransomware events or DR events.  The default configuration will forward all alarms to the SNMP destination.

  1. Ssh to the appliance as admin user
  2. Sudo -s
  3. Enter admin password
  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf
  5. Edit this section below and change the text as follows to add or delete message strings to the f_superna_snmp filter section.  See example of alarm severity forwarding below.  Adding additional strings allows application alarms to be forwarded.   

< 2.5.7 Configuration Example

filter f_superna_snmp {

     message("Severity:CRITICAL") or message("Severity:WARNING") ;

};



destination superna_snmp {
program(
"/usr/local/bin/pygls-snmptrap"
flush_lines(1)
flags(no_multi_line)
template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")
);
};

log {
source(src);
source(chroots);
filter(f_superna_snmp);
destination(superna_snmp);
};

> 2.5.7 Configuration Example

filter f_superna_snmp {

     message("Severity:CRITICAL") or message("Severity:WARNING") ;

};


source igls_src { file("/opt/superna/sca/logs/igls_alarms.log"); };

destination superna_snmp {
program(
"/usr/local/bin/pygls-snmptrap"
flush_lines(1)
flags(no_multi_line)
template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")
);
};

log {
source(igls_src);
filter(f_superna_snmp);
destination(superna_snmp);
};
  1. Save and Exit the file (press the letter i to insert text, when done type : then type wq + enter key) 
  2. Disable SNMP Mark Heartbeat
    1. Modify syslog-ng config file
    2. nano /etc/syslog-ng/syslog-ng.conf
    3. Add mark-freq(0); inside options { } clause.
    4. Example string: options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); mark-freq(0); }
    5. Save and Exit the file (press the letter i to insert text, when done type : then type wq + enter key)
  3. Now restart logging service
    1. systemctl restart syslog-ng
  4. To verify the file was edited correctly and make sure syslog-ng is running
    1. systemctl status -l syslog-ng
  5. done.



Example of SNMP Messages received from Eyeglass

SNMP Messages for Replication Jobs status

8/21/2017 3:55:26 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:26-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:26,634 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$982 [246] - ReplicationTask is done.        0        0        7619067        2

8/21/2017 3:55:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [217] - Fetching post-configuration inventory.        0        0        7618578        2

8/21/2017 3:55:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [214] - Unblocking deletes from the database        0        0        7618578        2

8/21/2017 3:55:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,985 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$979 [179] - Writing replication xml file.        0        0        7618502        2

8/21/2017 3:55:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,968 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$977 [124] - Writing fingerprints        0        0        7618499        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,021 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [109] - Fetching current inventory before running replication        0        0        7616408        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,017 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [104] - Clearing deleted items cache        0        0        7616408        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,003 [cron4j-task-10] INFO MAIN ReplicationTask:run [90] - Starting ReplicationTask        0        0        7616404        2

SNMP Messages for Policy Readiness

8/21/2017 3:41:09 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:09-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:41:09,012 [pool-68-thread-1] DEBUG MAIN PolicyReadinessValidation:doPolicyValidation [194] - Policy readiness validation completed successfully        0        0        7533303        2

8/21/2017 3:41:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.policyreadiness.PolicyReadinessValidation.doPolicyValidation(PolicyReadinessValidation.java:138)        0        0        7532456        2

SNMP Messages for Zone Readiness

8/21/2017 3:45:17 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:17-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:17,296 [pool-75-thread-1] DEBUG MAIN ReadinessJobResultHandler:handleResult [64] - JOB rnsm04-c03_rnsm04-c04: Status: {"state":"FINISHED","jobStatus":"OK","started":1503301507126,"finished":1503301507532,"duration":406,"name":"AccessZoneValidation rnsm04-c03_rnsm04-c04","info":"Access Zone Validation","children":[],"modified":1503301507532}        0        0        7558132        2

8/21/2017 3:45:08 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,480 [pool-80-thread-1] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - {        0        0        7557218        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:53)        0        0        7557171        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:70)        0        0        7557171        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.doAccessZoneValidation(AccessZoneValidation.java:315)        0        0        7557170        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.collectConfigReplication(AccessZoneValidation.java:1127)        0        0        7557170        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation$$Lambda$428/501745496.apply(Unknown Source)        0        0        7557167        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.lambda$collectConfigReplication$743(AccessZoneValidation.java:1127)        0        0        7557167        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,226 [pool-28-thread-2] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - {        0        0        7557154        2

SNMP Messages for ALARM

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,035 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: 'rnsm04-03', Severity: 'MAJOR', Description: 'ECA Service unreachable to scan for events'        0        0        7628414        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,034 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628413        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.109', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628412        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628411        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.108', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628411        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628411        2

8/21/2017 3:56:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,019 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.107', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628408        2

SNMP Message for Overall DR Status

8/21/2017 3:47:12 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:47:12-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:47:12,283 [pool-4-thread-33] DEBUG MAIN Policies:getAllPolicies [56] - [{"policy_name":"InsightIQ-NFSDS","policy_enabled":true,"policy_last_success":1497605568000,"policy_last_run":1497605568000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_InsightIQ-NFSDS","job_last_run":1503301518896,"job_last_success":1503301518896,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524918},{"policy_name":"z01-smb01-synciq","policy_enabled":true,"policy_last_success":1498033910000,"policy_last_run":1498033910000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_z01-smb01-synciq","job_last_run":1503301518900,"job_last_success":1503301518900,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524923},{"policy_name":"z01-smb01-synciq_mirror","policy_enabled":false,"policy_last_success":1498033810000,"policy_last_run":1498033905000,"policy_last_status":"finished","policy_status":"DISABLED","overall_dr_status":"FAILED_OVER","job_status":"DISABLED","job_name":"rnsm04-c04_z01-smb01-synciq_mirror","job_last_run":1498033840357,"job_last_success":1498033840357,"job_source":"rnsm04-c04","job_destination":"rnsm04-c03","job_enabled":false,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301528213}]        0        0        7569630        2

SNMP Message for Failover

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,241 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305934        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305934        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305907        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305907        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305880        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305879        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 05:49:54.253, AID:rnsm04-c03_Policy Failover 2017-08-21_05-47-05, Port:Nil, Type:null, EntityType:, Extra Data:{"Status":"Success","Finished":1503308994249,"Started":1503308826347,"URL":"https://172.22.4.89/failover_logs/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS.json"}, Description:Failover Succeeded , NSA, Severity:INFORMATIONAL, Impact:false, Category:SCA0040        0        0        8305846        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305837        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,229 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [66] - **************************************************************************************************************        0        0        8305837        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,228 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [65] - SyncIQ Reports For Policy: z01-smb01-synciq        0        0        8305836        2

8/21/2017 5:49:38 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,740 [pool-298-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true        0        0        8304276        2

8/21/2017 5:49:38 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,470 [pool-281-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true        0        0        8304249        2

8/21/2017 5:47:28 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:28-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:28,151 [pool-273-thread-1] DEBUG MAIN RunConfigurationReplication:handleReplication [48] - Starting replication during failover.        0        0        8291218        2

8/21/2017 5:47:06 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,520 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [132] - DONE Wait for other failover jobs to complete        0        0        8289054        2

8/21/2017 5:47:06 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,516 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [118] - Starting Wait for other failover jobs to complete        0        0        8289053        2

8/21/2017 5:47:05 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:05-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:05,574 [pool-4-thread-120] INFO MAIN PolicyFailoverJobFactory:createJob [83] - in policy failover        0        0        8288959        2

SNMP Message for Ransomware Events

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584996        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584995        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584993        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584993        2

8/21/2017 6:36:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:21,151 [Thread-31] INFO SYSLOG AlarmHandlerTask:run [154] - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061        0        0        8584517        2

8/21/2017 6:36:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061        0        0        8584517        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,301 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584437        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,300 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584437        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,282 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584434        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,280 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584434        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,265 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584429        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,264 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584429        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,183 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584421        2


© Superna LLC