02-18-2009 12:39 AM
Our FO is receiving lots of alarms from ISG2000 FW for alarms/events like land attack, port scan etc...
We want to filter specific alarms/events in ISG FW from sending SNMP traps to the NMS,
I tried to filter the alarms in the ISG GUI -> Configuration -> Report Settings -> Log Settings
but FO is still receiving alarms/events.
Any advise on how we can filter specific alarms/events in ISG FW?
Solved! Go to Solution.
02-21-2009 06:31 AM - edited 02-23-2009 06:48 AM
Thanks a lot for your help;
Here is the output of the command you asked to be run :
FWGPRSMUS:FWGPRSMUS01(M)-> get log setting
Levels: 0=Emergency, 1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notification,
6=Information, 7=Debugging, '-' = disabled
Module Console Internal Email SNMP Syslog
system 01234567 01234567 012--5-- 012----- 01234567
Module WebTrends NSM PCMCIA
system 012--5-- 01234567 01234567
the output shows that the "alerts" are sent by SNMP, 012-----
we can disable the alerts to be advertised to the NMS using "unset log module system level alert destination SNMP" , is this the right way to do it ?
I just wanna know if there are any other important logs with "alert" level to be sent to the NMS, other than Land attacks & Port scan
because using the command above will prevent all the logs at alert level to be advertised by SNMP
Is it possible for us to filter alarms based on the description of alarms and not by log level?
For example, we would like to filter all Land Attacks, Port Scan, Ping of Death, etc, not to be sent thru SNMP?
We are afraid that we will not be able to send other significant alarms thru SNMP if we filter by log level.
02-23-2009 08:09 PM
Yes, to disable ALERT level logs sent via SNMP, then enter this command:
unset log module system level alert destination snmp
Additionally, to diable CRITICAL level logs sent via SNMP, then enter this command:
unset log module system level critical destination snmp
You have valid concerns.
In order to see all the possible ALERT level logs, refer to the ScreenOS System Log Message Guide.
You can run the command, get log event level <level>, to view the alarms you are getting at that level on your firewall.
You can send the ALERT level logs to a SYSLOG server and process them from that angle.
Unfortunately, you can't select the log level by the log description.
Hope that helps.