ONTAP Discussions

Ontap 9.1 Event Suppression

parkea2
5,995 Views

I have setup event notification for security events like 'security.invalid.login'  to be email  to an ALERT list.  This is an attempt at basic attack detection.

The first event tested perfect then it stopped !

 

Investigation revealed  'event config show'  suppression = ON.

 

Now here is where I want to have my cake and eat it !!  

 

Is it possible to exclude certain events such as security from event suppression.  This is important for 2 reasons:

 

1) We actual receive event notiifcations as expected without suppression of security.*

2) Our logs show an accurate picture of security events for example a brute force attack

 

My ailternative would be to turn off suppression however it would be nice to tailor suppression if it was possible.

 

Rgds AndyP

 

3 REPLIES 3

JGPSHNTAP
5,985 Views

Intersting use cases.  

 

Can you try to create a filter just for security and add that to the filter on the supression

 

Filter Exempt from Suppression:  no-info-debug-events

 

 

parkea2
5,961 Views

Ok I have done this:

 

event filter> show
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
default-trap-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        include   *                      Standard, Built-in
                                                                      *
            4        exclude   *                      *               *

 

failedlogin-events
            1        include   security.invalid.login *               ALERT
            2        exclude   *                      *               *

 

important-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        exclude   *                      *               *


no-info-debug-events
            1        include   *                      *               EMERGENCY, ALERT, ERROR, NOTICE
            2        exclude   *                      *               *

 

 

event config*> show
                             Mail From:  XXXXXX@XXXXXXX 
                           Mail Server:  HHHH.DDDD.COM
                             Proxy URL:  -
                            Proxy User:  -
                           Suppression:  on
                               Console:  on
                   Max Target Log Size:  36700160
                      Max Filter Count:  50
                 Max Filter Rule Count:  128
                 Max Destination Count:  20
                Max Notification Count:  20
        Filter Exempt from Suppression:  failedlogin-events
 Duplicate Suppression Duration (secs):  120
             Log Rotation Size (bytes):  40MB
      REST API Delivery Timeout (secs):  60

 

I then generated a failed logon but the event was not logged ! aka it was suppressed.

 

If I turn off suppression all works OK and the failed login is recorded and shown in:

 

event log > show

3/28/2017 13:31:37  hncl1-01         ALERT         security.invalid.login: Failed to authenticate login attempt to Vserver: hncl1, username: XXXXXX\YYYYYYY, application: ssh.

 

Nate1202
4,604 Views

It doesn't seem to work in ONTAP 9.1P9.  Creating an 'include' filter for a single event ONLY shows that event 

 

 

Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
security_invalid_login
            1        include security.invalid.login *                 ALERT
            2        exclude *                      *                 *

 

 

 

xxxxxxxx::> event log show -filter-name security_invalid_login

 

Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
3/20/2018 11:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 10:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 09:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 08:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 07:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 06:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 05:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 04:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.

 

 

Changing this to an 'exclude' rule type allows viewing all except these messages.

Public