[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db



I appreciate all the responses, however my grandfather passed away last night and I am out of town. I will reply as soon as possible. Thanks for all the responses. I really appreciate it.

Thanks
Calvin


From: "Cloonan, John (ISS Cincinnati)" <JCloonan@xxxxxxx>
To: "O'Flynn, Derek" <DOFlyn@xxxxxxxxxx>, "issforum@xxxxxxxxxxxxxxxx" <issforum@xxxxxxx>, <reiver2002@xxxxxxxxxxx> Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Date: Mon, 26 Jan 2004 09:05:30 -0500
MIME-Version: 1.0
Received: from mc4-f30.hotmail.com ([65.54.190.166]) by mc4-s14.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 27 Jan 2004 12:19:58 -0800 Received: from cti50hub.vcp.advcp.br ([200.245.57.50]) by mc4-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 27 Jan 2004 12:19:55 -0800 Received: from anc50vcp.vcp.advcp.br ([10.16.225.96]) by cti50hub.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 18:19:58 -0300 Received: from mail pickup service by anc50vcp.vcp.advcp.br with Microsoft SMTPSVC; Tue, 27 Jan 2004 18:19:45 -0300 Received: from cti50hub.vcp.advcp.br ([10.16.8.99]) by anc50vcp.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 13:15:55 -0300 Received: from atla-mm1.iss.net ([209.134.161.13]) by cti50hub.vcp.advcp.br with Microsoft SMTPSVC(5.0.2195.5329); Tue, 27 Jan 2004 13:15:50 -0300 Received: from atla-mm1.iss.net (localhost [127.0.0.1])by atla-mm1.iss.net (8.12.10/8.12.2) with ESMTP id i0RE4g7t021385;Tue, 27 Jan 2004 09:04:42 -0500 (EST) Received: from atlmaiexcp06.iss.local (atlmaiexcp06.iss.local [209.134.160.245])by atla-mm1.iss.net (8.12.10/8.12.10) with ESMTP id i0QE5VW1016213for <issforum@xxxxxxxxxxxxxxxx>; Mon, 26 Jan 2004 09:05:32 -0500 (EST) Received: from atlmaiexcp01.iss.local ([209.134.160.240]) by atlmaiexcp06.iss.local with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 09:05:31 -0500
X-Message-Info: JGTYoYF78jHpBZNXD/mne4jBqlYW4qEZ
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
Message-ID: <9EB9D14008D9374FB888E3075C205AF401418F6F@xxxxxxxxxxxxxxxxxxxxxx> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Thread-Index: AcPkE7QRsF3zju3SQNyX4wSmQDBAwAAATpqQ
X-OriginalArrivalTime: 26 Jan 2004 14:05:31.0094 (UTC) FILETIME=[755C5F60:01C3E415]
Errors-To: issforum-admin@xxxxxxx
X-BeenThere: issforum@xxxxxxx
X-Mailman-Version: 2.0.8
Precedence: bulk
List-Help: <mailto:issforum-request@xxxxxxx?subject=help>
List-Post: <mailto:issforum@xxxxxxx>
List-Subscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>,<mailto:issforum-request@xxxxxxx?subject=subscribe>
List-Id: ISS Forum <issforum.iss.net>
List-Unsubscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>,<mailto:issforum-request@xxxxxxx?subject=unsubscribe>
List-Archive: <https://atla-mm1.iss.net/mailman/private/issforum/>
Return-Path: issforum-admin@xxxxxxx


If you do not mind having Server Sensor simply ignore the event you can
do so using the Trusted_User_List or local exceptions.

Refer to the Server Sensor documentation or to the following whitepaper
for complete instructions.
http://www.issadvisor.com/viewtopic.php?t=204&highlight=customizing

thanks,
John



*******************************************************
John Cloonan
Product Manager
Internet Security Systems
*******************************************************




  _____

From: issforum-admin@xxxxxxxxxxxxxxxx On Behalf Of O'Flynn, Derek
Sent: Friday, January 23, 2004 1:32 PM
To: issforum@xxxxxxxxxxxxxxxx
Subject: RE: [ISSForum] Tivoli introduced into RS
environment...overflowing console and db



Call ISS and ascertain if you can rewrite the event to exclude logins
occurring from the Tivoli server IP.  Or see if they can rewrite the
event to exclude the Tivoli Username.

Derek

-----Original Message-----
From: Calvin Tait [mailto:reiver2002@xxxxxxxxxxx]
Sent: Thursday, January 22, 2004 8:31 PM
To: issforum@xxxxxxx
Subject: [ISSForum] Tivoli introduced into RS environment...overflowing
console and db

Hello,
I've been running Real Secure Server Sensors on all our servers for a
few
years.  Yesterday, a separate tool, Tivoli, was turned up in the
environment.  Tivoli requires a W2K server administrator account to run.

The Tivoli agent logs in 6 times locally every 2 minutes to kick off
programs.  Each login triggers two alerts:

1. User login with admin privileges
2. User logon with special admin privileges

These two alerts pop up for every sensor * 6 * # of servers in each
farm.
It fills 4 gigs of database space every hour and floods the console to
the
point it's useless.
I can't disable the alerts because we are required to have them and
store
them for a period of time for due diligence.  I work for a large
financial
institution and every admin login must be recorded and saved.  Has
anyone
ever used Tivoli in an environment that co-existed with Tivoli?  I can't

find a single discussion on the net or in both product knowledge bases.
I
do not use Tivoli to with the Real Secure Plug-in.  The operate
independently of each other.  Any help would be greatly appreciated!!!!
I'm
at wit's end.  I can't delete the excess rows in the db as fast as they
are
coming in.

Thanks!!!
R
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo


_________________________________________________________________
There are now three new levels of MSN Hotmail Extra Storage! Learn more. http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo