Using SNMP traps, for example to monitor firewall logins.
Goal: Get an alert on each login, even dups (same login, later, same device), only one per login though.
The issue is in clearing the event.
If you set "multiple events" there is no need to clear it, it will generate a new event for each login. However, the event stays (more precisely the trigger for it stays) in the active triggers list.
If you do not set multiple events, you need a way to clear the event in order to see the next one. You can do something with time related functions, but any time leaves an opening where another login might come and be missed, so it does not seem acceptable.
If you do set multiple events, AND use a time related function to clear the trigger, that seems ideal - the trigger stays a while then clears. Except -- you get multiple trigger fires for the same trap -- this would at least appear to be a bug, though is treated as a feature request and has been open a long time (see here).
Please note it is very easy to suppress the alert for the "OK", I am not worried about that aspect. What I am trying to suppress is the active trigger display showing these as people encounter it in various ways (I already set it "not classified" but it still causes confusion).
Has anyone found a RELIABLE workaround to this, that doesn't also provide a window for missing traps, or duplicating alerts for them?
Goal: Get an alert on each login, even dups (same login, later, same device), only one per login though.
The issue is in clearing the event.
If you set "multiple events" there is no need to clear it, it will generate a new event for each login. However, the event stays (more precisely the trigger for it stays) in the active triggers list.
If you do not set multiple events, you need a way to clear the event in order to see the next one. You can do something with time related functions, but any time leaves an opening where another login might come and be missed, so it does not seem acceptable.
If you do set multiple events, AND use a time related function to clear the trigger, that seems ideal - the trigger stays a while then clears. Except -- you get multiple trigger fires for the same trap -- this would at least appear to be a bug, though is treated as a feature request and has been open a long time (see here).
Please note it is very easy to suppress the alert for the "OK", I am not worried about that aspect. What I am trying to suppress is the active trigger display showing these as people encounter it in various ways (I already set it "not classified" but it still causes confusion).
Has anyone found a RELIABLE workaround to this, that doesn't also provide a window for missing traps, or duplicating alerts for them?
Comment