Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > PortScans rule is firing excessively and sending too many email alerts

PortScans rule is firing excessively and sending too many email alerts

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 26 Votes: 0 Revisions: 4

Overview

This article addresses large amounts of PortScan alerts received after a LEM upgrade or connector upgrade.

Environment

  • All LEM versions
  • Cisco firewall

Cause 

Your LEM is now normalizing TCP Buildup and Teardown events. Most likely, your Cisco firewall is sending over TCP Buildup and Teardown events to LEM that it was not normalizing on your previous version. This can be confirmed by searching for recent TCPTrafficAudit events under nDepth and looking at the EventInfo field for Buildup and Teardown events.

Resolution

These events are numerous and not useful in most environments. The recommended solution is to change the logging level of those events such that they are not being sent over syslog to LEM. Refer to the following article for more information: Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events.

 

 

Last modified
20:18, 22 Jun 2016

Tags

Classifications

Public