When NNM detects a real-time event, it can:

  • Send the event to a local log file.
  • Send the event via Syslog to a log aggregator such as Tenable LCE, an internal log aggregation server.
  • Send the event to a third party security event management vendor.

New Host Alerting

You can configure NNM to detect when a new host has been added to the network. By default, NNM has no knowledge of your network’s active hosts, so the first packets NNM sniffs trigger an alert. To avoid this, you can configure NNM to learn the network over a period of days. Once this period is over, any “new” traffic must be from a host that has not communicated during the initial training.

To prevent NNM from triggering new host alerts on known hosts, you can create a known hosts file in the location to which the Known Hosts File configuration parameter is set. Each line of the Known

Hosts File supports a single IPv4 or IPv6 address. Hyphenated ranges and CIDR notation are not supported. NNM must be restarted after creating or making any changes to the Known Hosts File.

When NNM logs a new host, the Ethernet address saves in the message. When NNM is more than one hop away from the sniffed traffic, the Ethernet address is that of the local switch and not the actual host. If the scanner is deployed in the same collision domain as the sniffed server, then the Ethernet address is accurate.

For DHCP networks, NNM often detects a “new” host. Tenable® recommends deploying this feature on non-volatile networks such as DMZ. Users should also consider analyzing NNM “new” host alerts with, which can sort real-time NNM events by networks.