Open topic with navigation

Receiving Alert Notifications

In order to receive notification from an alert, set up the alert to be sent to a previously configured destination, such as an email address, SNMP server, Syslog server, Transformation Hub, and ESM.

By default, only alerts to email destinations include all matched events that triggered the alert. You can configure your Logger to include matched events for SNMP, Syslog, Transformation Hub Destinations, and ESM Destinations as well. However, such a configuration is only possible through the command-line interface of the Logger; therefore, please contact customer support for instructions.

For information on how to configure destinations, see ESM Destinations, Transformation Hub Destinations, and Syslog Destinations. To configure email destinations, see Static Routes, as well.

Note: Audit events for alerts are only written to the Internal Storage Group and not forwarded to ESM by default. If you need to forward these audit events to ESM destinations, please contact customer support for assistance. This only applies to audit events generated for alerts; other audit events can be sent to ESM destinations.

Sending Notifications to email Destinations

When you send notifications for an alert via email, the email message contains both the trigger alert information and the matched (base) events.

The following is an example of the trigger alert information:

Alert event match count [1], threshold [10] sec

And the matched event: 

Event Time [Tue May 11 16:46:49 PST 2016]
Event Receipt Time [Tue May 11 16:46:50 PST 2016]
Event Device Address [192.0.2.1]
Event Content [May 11 10:31:20 localhost 
CEF:0|NetScreen|Firewall/VPN||traffic:1|Permit|Low| eventId=590 msg=start_time\= “2016-05-11 15:25:02” duration\=15 policy_id\=0 service\=SSH proto\=6 src zone\=Trust dst zone\=Untrust action\=Permit sent\=656 rcvd\=680 src\=192.0.2.4 dst\=192.0.2.5 src_port\=54759 dst_port\=22 translated ip\=192.0.2.2 port\=54759 app=SSH proto=TCP in=680 out=656 categorySignificance=/Normal categoryBehavior=/Access categoryDeviceGroup=/Firewall categoryOutcome=/Success categoryObject=/Host/Application/Service art=1165861874880 cat=Traffic Log deviceSeverity=notification act=Permit rt=1165861874880 shost=n111-h046.qa.arcsight.com src=192.0.2.4 sourceZoneURI=/All Zones/System Zones/Private Address Space/RFC1918: 192.0.2.0-192.255.255.255 sourceTranslatedAddress=192.0.2.2 sourceTranslatedZoneURI=/All Zones/System Zones/Public Address Space/192.0.2.0-192.0.255.255 spt=54759 sourceTranslatedPort=54759 dst=192.0.2.10 destinationZoneURI=/All Zones/System Zones/Private Address Space/RFC1918: 192.0.2.0-192.255.255.255 dp]

Concept Link IconSee Also