Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff

Created on ‎09-30-2016 08:44 AM Edited on ‎06-08-2022 02:19 PM By Anonymous

Article Id 190752

Technical Note: [Accelops KB] How to verify an email notification was sent from an Incident

Description

Summary of Topic

This article will explain how we can verify whether or not AO has sent an email notification out after an incident was created.  Here are two ways to check to see if an email was sucessfully sent.  One from the logs, or this can be looked up on the GUI.

 

Steps

Option 1 - Raw Logs

1.  From the GUI look up the Incident Id from the example Incident that the customer says an Email Notifcation was not sent.

2.  Check to make sure the Email Notifcation Policy is set up correctly.

3.  Search /opt/glassfish/domains/domain1/logs/phoenix.log for the Incident Id number obtained from step 1.

You should see two entries like in the following example.

Example:

[root@Accelops-VA-lg1-137 logs]# grep 3215 phoenix.log

2013-11-19 14:33:39,234 INFO [p: thread-pool-1; w: 16117] com.ph.phoenix.service.notify.email.EmailNotification - [PH_GENERIC_INFO]:[phEventCategory]=3,[phCustId]=1,[procName]=AppServer,[eventSeverity]=PHL_INFO,[phLogDetail]=Sending email '[New] WIN2008R264: Server Disk space Warning_case64902 (Super)' to robert.bristow@accelops.com for incident ID 3215

2013-11-19 14:33:40,082 INFO [p: thread-pool-1; w: 16117] com.ph.phoenix.service.notify.NotificationHelper - [PH_INCIDENT_ACTION_STATUS]:[incidentId]=3215,[incidentSrc]=,[phEventCategory]=3,[phCustId]=3,[actionName]=Email:robert.bristow@accelops.com,[customer]=Super,[actionTime]=Tue Nov 19 14:33:40 EST 2013,[incidentTarget]=hostIpAddr:192.168.67.73; hostName:WIN2008R264,[actionResult]=Successful,[policyId]=3004650,[procName]=AppServer,[ruleName]=Server Disk space Warning_case64902,[ruleId]=3004300,[incidentDetail]=diskName:C:\; diskUtil:42.81; freeDiskMB:35078,[eventSeverity]=PHL_INFO,[actionId]=3004700,[phLogDetail]=Record incident notification action result

[root@Accelops-VA-lg1-137 logs]#

 

Option 2 - Run a report to verify

1.  From the GUI look up the Incident Id from the example Incident that the customer says an Email Notifcation was not sent.

2.  Check to make sure the Email Notifcation Policy is set up correctly.

3.  Note that every log entry in /opt/glassfish/domains/domain1/logs/phoenix.log creates system events that we can do Historical Reporting on.  So we should find the same two log entries as in Option 1.

4. Run a Historical Report, for the time period involved, with the following filters:

System Event Category  = 3

Raw Event Log  CONTAINS  <incident Id number>

 

Screenshots

agodwin_FD39487_tn_FD39487-1.jpg

agodwin_FD39487_tn_FD39487-2.jpg

agodwin_FD39487_tn_FD39487-3.jpg

 

Additional Information

N/A

 

Version Application

3.6.X+


Labels:
595
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.