Events

Events#

Once an endpoint has been discovered and is being monitored, certain changes in its state or behavior will be logged by Endpoint Analytics as events, which can also be used to alert network and security operations.

By default, events will be delivered to the web interface and can be viewed in the Recent Events dashboard widget or the View Endpoint Events page under the Endpoints menu group, but they can also be configured for delivery to internal or external syslog servers.

The Configuration > Events submenu allows events to be configured to suit a wide range of usage scenarios.

Event types#

Endpoint Analytics events can be configured as one of the following types:

New endpoint

Triggered when a new endpoint is initially discovered and/or when a profile is assigned to it (including not profiled).

Note

A factory-default All New Endpoints event is pre-configured to match all endpoint profiles and will be triggered whenever Endpoint Analytics discovers a new endpoint MAC address.

Profile change (entering)

Triggered when an endpoint is migrated from one profile assignment to the specified profile(s) (other than not profiled), such as when newly observed identity attributes observed result in a higher profile match score with a different profile.

Profile change (exiting)

Triggered when an endpoint is migrated from the specified profile(s) assignment to another or when an endpoint returns to being classified as Not Profiled.

Alarm profile

Triggered by user-defined Alarm Profiles that contain profile rules or MAC vendor information that may indicate the presence of endpoints with irregular, suspicious, or potentially dangerous attributes.

Profile consistency

Triggered when an endpoint in the specified profile(s) has identity attributes that satisfies the requirements of multiple profile assignments.

Adding events#

To add a new event to the system, select Add Event from the events configuration submenu, and then do the following:

  1. In Event Name:, enter a unique, case-sensitive name for the event.

  2. (Optional) In Event Logic:, enter a regular expression that must be matched for a profile to be monitored for the event. If /.*/ or no event logic expression is entered, then the event will trigger endpoints in any profile.

Note

In the case of alarm profile events, the event logic expression defines the alarm profile whose rules must be matched by endpoints to trigger the event.

  1. Select the event type to be created from the dropdown menu. If it is a profile change event, select whether it is an entering or exiting event from the second dropdown menu.

  2. (Optional) Select the checkbox under Event Delivery Method: to enable syslog delivery for the event. For additional information on configuring event delivery outside the web interface, see delivering events to syslog.

  3. In Event Level:, select a severity level to assign to the event (used in various web interface views).

  4. Enable the event, and then click Save to save the configuration.

Hint

The Add Event page can also be accessed by selecting List Events from the events configuration submenu, and then clicking Add Event.

Events are triggered only if they are enabled, and newly configured events are activated only after the next system re-model.

Delivering events to syslog#

Endpoint Analytics events can be delivered to the internal system syslog or to external syslog servers for additional analysis after the necessary system-level changes are made through the appliance’s OS.

Hint

If necessary, contact your system administrator or Plixer Technical Support for assistance with configuring these settings.

Event delivery to internal syslog

To configure the system for event delivery to internal syslog, do the following:

  1. Open an SSH session to the Endpoint Analytics appliance, and then elevate to root with the su command.

  2. Open the internal syslog configuration file by entering:

    # vi /etc/rsyslog.d/50-default.conf

  3. In line 9 of the file, replace:

    *.*;auth,authpriv.none -/var/log/auth.log

    with:

    *.*;auth,authpriv.* -/var/log/auth.log

  4. After saving the changes, enter the following command to restart the rsyslog service to apply the delivery changes:

    # systemctl restart rsyslog

With this configuration set, any events that have syslog delivery enabled will be logged to the internal syslog on the Endpoint Analytics appliance every time they are triggered.

Event delivery to external syslog

To configure the system for event delivery to an external syslog server, do the following:

  1. Open an SSH session to the Endpoint Analytics appliance, and then elevate to root with the su command.

  2. Open the internal syslog configuration file by entering:

    # vi /etc/rsyslog.d/99-beacon.conf

  3. In line 13 of the file, replace:

    # authpriv.alert @log.host.port

    with:

    # authpriv.alert @75.76.75.76:9992

    and replace 75.76.75.76:9992 with the syslog host address and listening port number.

  4. After saving the changes, enter the following command to restart the rsyslog service to apply the delivery changes:

    # systemctl restart rsyslog

With this configuration set, any events that have syslog delivery enabled will be logged to the external syslog server every time they are triggered.

syslog event format#

syslog messages for Endpoint Analytics events are logged in the following format:

<EVENT_DATE_TIME> <SERVER_HOST_NAME> [<SYSLOG_PROCESS_ID>]:
<EVENT_TYPE>. Event Name: [<EVENT_NAME>] Switch/port:
<SWITCH_IP_ADDRESS>(<SWITCH_PORT_INDEX>) Profile: (<CURRENT_PROFILE>)
MAC: (<ENDPOINT_MAC_ADDRESS>) Old Profile: (<PREVIOUS_PROFILE>) End
node: <ENDPOINT_MAC_ADDRESS>(<ENDPOINT_IP_ADDRESS>)

Managing events#

Selecting List Events from the events configuration submenu opens a summary page that lists all the configured events and their current settings in a table.

From the Events List page, the following event management actions can be performed:

Adding a new event#

As an alternative to using the Add Event option under the events configuration submenu, click Add Event at the bottom of the table to open the Add Event page.

Inspecting or editing event settings#

To view or edit the current settings of an event, click the event name in the list to open the Edit Event page. Events can also be enabled or disabled from this page.

Deleting an event#

To delete an event, click the event name to open its Edit Event page, and then click Delete on the upper part of the page.

Contents