Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > PortScans rule is firing excessively and sending too many email alerts

PortScans rule is firing excessively and sending too many email alerts

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 18 Votes: 0 Revisions: 4

Overview

This article addresses large amounts of PortScan alerts received after a LEM upgrade or connector upgrade.

Environment

  • All LEM versions
  • Cisco firewall

Cause 

Your LEM is now normalizing TCP Buildup and Teardown events. Most likely, your Cisco firewall is sending over TCP Buildup and Teardown events to LEM that it was not normalizing on your previous version. This can be confirmed by searching for recent TCPTrafficAudit events under nDepth and looking at the EventInfo field for Buildup and Teardown events.

Resolution

These events are numerous and not useful in most environments. The recommended solution is to change the logging level of those events such that they are not being sent over syslog to LEM. Refer to the following article for more information: Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events.

 

 

Last modified
20:18, 22 Jun 2016

Tags

Classifications

Public