As a CA Admin, I would like to see Internal Change Auditor events generated when a coordinator is unable to send events to a SIEM subscription.
ER: They are concerned with resiliency so when the Splunk event subscription didn't move over to another coordinator they either want a notification that it couldn't communicate to the Splunk server or try another Coordinator till it found one that could. They use the Splunk forwarder to trigger alerts in Splunk they do not use CA to generate the alerts. Create an ER to try another Coordinator if it cannot connect to the subscription or at least a notification after x amount of time say an hour or have it failover to another Coordinator.
Sign In Required
You need to be signed in and under a current maintenance contract to view premium knowledge articles.