Subscribe

Ontap 9.1 Event Suppression

I have setup event notification for security events like 'security.invalid.login'  to be email  to an ALERT list.  This is an attempt at basic attack detection.

The first event tested perfect then it stopped !

 

Investigation revealed  'event config show'  suppression = ON.

 

Now here is where I want to have my cake and eat it !!  

 

Is it possible to exclude certain events such as security from event suppression.  This is important for 2 reasons:

 

1) We actual receive event notiifcations as expected without suppression of security.*

2) Our logs show an accurate picture of security events for example a brute force attack

 

My ailternative would be to turn off suppression however it would be nice to tailor suppression if it was possible.

 

Rgds AndyP

 

Re: Ontap 9.1 Event Suppression

Intersting use cases.  

 

Can you try to create a filter just for security and add that to the filter on the supression

 

Filter Exempt from Suppression:  no-info-debug-events

 

 

Re: Ontap 9.1 Event Suppression

Ok I have done this:

 

event filter> show
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
default-trap-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        include   *                      Standard, Built-in
                                                                      *
            4        exclude   *                      *               *

 

failedlogin-events
            1        include   security.invalid.login *               ALERT
            2        exclude   *                      *               *

 

important-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        exclude   *                      *               *


no-info-debug-events
            1        include   *                      *               EMERGENCY, ALERT, ERROR, NOTICE
            2        exclude   *                      *               *

 

 

event config*> show
                             Mail From:  XXXXXX@XXXXXXX 
                           Mail Server:  HHHH.DDDD.COM
                             Proxy URL:  -
                            Proxy User:  -
                           Suppression:  on
                               Console:  on
                   Max Target Log Size:  36700160
                      Max Filter Count:  50
                 Max Filter Rule Count:  128
                 Max Destination Count:  20
                Max Notification Count:  20
        Filter Exempt from Suppression:  failedlogin-events
 Duplicate Suppression Duration (secs):  120
             Log Rotation Size (bytes):  40MB
      REST API Delivery Timeout (secs):  60

 

I then generated a failed logon but the event was not logged ! aka it was suppressed.

 

If I turn off suppression all works OK and the failed login is recorded and shown in:

 

event log > show

3/28/2017 13:31:37  hncl1-01         ALERT         security.invalid.login: Failed to authenticate login attempt to Vserver: hncl1, username: XXXXXX\YYYYYYY, application: ssh.