13 Replies Latest reply on Jul 30, 2012 2:48 AM by cvachovecj

    alert from new MAC

    jeffreyc


      I am trying to set up an alert for a new MAC seen on the network however I only want to see direct connections not indirect. I still want to see indirect connections in UDT but I just want to trigger the alert on direct only. Anyone know how to acomplish this

       

      Thanks Jeff

        • Re: alert from new MAC
          jeffreyc

          I'm not sure this is practical seems like everytime a MAC table chnages in an upstream switch I get a new alert. The only way this will work is if I can alert only on direct connection not indirect.

            • Re: alert from new MAC
              jeffreyc

              Another problem with this is if I set a time of day period on the alert it looks like it realerts for every MAC. We thought it would be nice to set this alert for after hours time period to see if any suspicious MACs were showing up on the network. I was hoping that once all the MACs were learned things would settle down and I would see few new MACs showing up on the network.

                • Re: alert from new MAC
                  DanielleH

                  Hi jeffreyc,

                   

                  I've sent this over to the PM.  Hang tight.

                   

                  Thanks,

                  Danielle

                    • Re: alert from new MAC
                      aland

                      Any news on this issue Danielle, as I'm having the same issue?

                        • Re: alert from new MAC
                          jeffreyc

                          not yet

                           


                            • Re: alert from new MAC
                              cvachovecj

                              Hi jeffreyc,

                               

                              Sorry for the delay. I will confirm whether what you want is possible and post the answer.

                               

                              Jiri

                                • Re: alert from new MAC
                                  cvachovecj

                                  Hi,

                                   

                                  Our dev team have provided SQL for a new MAC alert that will only be triggered for direct connections:

                                   

                                  IF  EXISTS (SELECT * FROM sys.views WHERE object_id = OBJECT_ID(N'[dbo].[UDT_NewMACAlert]'))
                                  DROP VIEW [dbo].[UDT_NewMACAlert]
                                  SET ANSI_NULLS ON
                                  GO
                                  
                                  SET QUOTED_IDENTIFIER ON
                                  GO
                                  
                                  Create View [dbo].[UDT_NewMACAlert]
                                  As
                                  
                                  SELECT MAX(L2DIRECT.ID) AS ID, dbo.udt_FormatMACAddressForUI(L2DIRECT.MACAddress) AS MACAddress, 1 as IsNewMac, NULL as NodeID
                                  FROM (
                                  
                                  SELECT nc.NodeID, nc.Capability, e.EndpointID AS ID, e.MACAddress, e.FirstSeen
                                  FROM UDT_Endpoint e
                                  INNER JOIN UDT_PortToEndpointCurrent p2e ON p2e.EndpointID = e.EndpointID
                                  INNER JOIN UDT_Port p ON p2e.PortID = p.PortID
                                  INNER JOIN UDT_NodeCapability nc ON p.NodeID = nc.NodeID
                                  WHERE nc.LastSuccessfulScan = e.FirstSeen
                                  AND nc.Capability = 2
                                  AND p2e.ConnectionType = 1
                                  
                                  ) L2DIRECT
                                  GROUP BY MACAddress
                                  
                                  GO
                                  

                                   

                                  For comparison, here is the default new MAC alert:

                                   

                                  IF  EXISTS (SELECT * FROM sys.views WHERE object_id = OBJECT_ID(N'[dbo].[UDT_NewMACAlert]'))
                                  DROP VIEW [dbo].[UDT_NewMACAlert]
                                  SET ANSI_NULLS ON
                                  GO
                                  
                                  SET QUOTED_IDENTIFIER ON
                                  GO
                                  
                                  Create View [dbo].[UDT_NewMACAlert]
                                  As
                                  
                                  SELECT MAX(L2L3UNION.ID) AS ID, dbo.udt_FormatMACAddressForUI(L2L3UNION.MACAddress) AS MACAddress, 1 as IsNewMac, NULL as NodeID
                                  FROM (
                                  
                                  SELECT nc.NodeID, nc.Capability, e.EndpointID AS ID, e.MACAddress, e.FirstSeen 
                                  FROM UDT_Endpoint e
                                  INNER JOIN UDT_PortToEndpointCurrent p2e ON p2e.EndpointID = e.EndpointID
                                  INNER JOIN UDT_Port p ON p2e.PortID = p.PortID
                                  INNER JOIN UDT_NodeCapability nc ON p.NodeID = nc.NodeID
                                  WHERE nc.LastSuccessfulScan = e.FirstSeen
                                  AND nc.Capability = 2
                                  
                                  UNION
                                  
                                  SELECT nc.NodeID, nc.Capability, e.EndpointID AS ID, e.MACAddress, e.FirstSeen 
                                  FROM UDT_Endpoint e
                                  INNER JOIN UDT_IPAddressCurrent ip ON ip.EndpointID = e.EndpointID
                                  INNER JOIN UDT_NodeCapability nc ON ip.RouterNodeID = nc.NodeID
                                  WHERE nc.LastSuccessfulScan = e.FirstSeen
                                  AND nc.Capability = 3
                                  
                                  ) L2L3UNION
                                  GROUP BY MACAddress
                                  
                                  GO
                                  

                                   

                                  To your second question ("delayed alerts"). This uses case sounds like a report, created in Report Writer (Create Your Own Orion Report Now) and sent daily using the Report Scheduler.

                                   

                                  Hope that helps.

                                   

                                  Jiri