Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.
You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed. Similarly, you can define a new custom alert template and manage the existing custom alert templates. Using the template variables, you can define the alert email subject and alert message body for custom alerts.
You can import/export the custom alert templates and formats between appliances. For more details, refer to the LogLogic Administration Guide.
For any alert, you can designate SNMP trap receivers, Syslog receivers, and Email recipients so people can receive notification of alerts via email.
Topics
• Viewing and Handling Alerts on page 84
• Manage Alert Templates on page 86
• Adding a New Alert Template Format on page 86
• Viewing and Modifying an Alert Template on page 89
• Removing an Alert Template on page 90
• Managing Alert Rules on page 91
• Adding a New Alert Rule on page 93
• Modifying or Removing An Alert on page 98
84
|
Chapter 5 Creating and Managing AlertsViewing and Handling Alerts
The Show Triggered Alerts page lists events triggered by rules defined for this Appliance to monitor and report on. The Show Triggered Alerts page lets you:
• view all alerts
• filter shown alerts by alert category, priority, alert type, and keywords
• view all system alerts only, regardless of priority
• change the alert category to Acknowledged
• delete the alerts permanently
• (Management Station only) view alerts on a specific managed Appliance or on all managed Appliances
When an alert is triggered, Alert Viewer shows the alert category as New.
To filter and view alerts
1. Choose Alerts > Show Triggered Alerts from the home page.
2. Select the type of alerts to display from the Show drop-down menu.
— All States shows all alerts in all categories.
— New or Acknowledged Alerts shows only alerts in the selected category.
3. Select the alert priority to view from the second drop-down menu. The options are: All Priorities, High, Medium, Low, and All System Alerts. To view all system alerts regardless of priority, select All System Alerts.
4. Select the type of alert from the third drop-down menu. To view all types of alerts, select All Types.
5. (Management Station only) Select the Appliance from which to view triggered alerts.
To aggregate alerts from all managed Appliances into a single list, select All.
6. To filter using the keywords, enter the keywords in the Find field and press Enter. To When the Data Privacy mode is enabled, these types of alerts will not be displayed on the Show Triggered Alerts page: VPN Connection Alert, VPN Statistic Alert, VPN Message Alert, Pre-defined Search Filter Alert, Cisco PIX/ASA Messages Alert, and Network Policy Alert.
For more information on Data Privacy mode, see Managing System Settings chapter in the LogLogic Administration Guide.
Viewing and Handling Alerts
|
85The filtered results will be displayed.
The Show Triggered Alerts page displays the specified alerts with the following details:
To page through and move alerts To page through multiple results to your query:
• Use the navigation buttons to go to the first, previous, next, or last page, respectively
• Type the page number and click to view the results on a specific page To acknowledge or remove alerts:
• To move alerts to the Acknowledged category, select their checkboxes and click .
• To delete selected alerts, select their checkboxes and click .
• To delete all alerts permanently, regardless of priority, click . Table 21 Alert Details
Element Description
Time Time the alert triggered.
Source IP Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.
Priority The priority of the alert. An alert's priority is specified in the General tab.
Type The Log Appliance alert type. For a list of alert types, see Table 25 on page 92 and see Table 26 on page 93.
Alert Destination Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.
Move an alert to the Acknowledged category once you have been notified of the alert.
Remove an alert once the cause of the alert is corrected.
86
|
Chapter 5 Creating and Managing AlertsManage Alert Templates
The Manage Alert Templates menu allows you to define a new alert template format and manage the custom alert templates. Using the template variables, you can edit the alert message.
The Manage Alert Templates page displays the following details:
Adding a New Alert Template Format
You can define a new alert template format using the Add New Alert Format option.
To add an alert
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. The Manage Alert Templates page appears.
3. Click the Add New button. The Add New Alert Format window appears.
4. Define a template name in the Name field. This must a unique name for each template.
5. From the Alert Type drop-down menu, select the type of alert.
Table 22 Manage Alert Templates Details
Element Description
Filter By Names Filter using the template names. Enter the keywords and press Enter to view the filtered list.
Name Name of the alert template.
Type Type of the alert.
Template Type Type of template.
Max Message Length Indicates the maximum character length (including the alert email subject and the alert message) that will be displayed.
Used By Alert(s) Click the List link to view a list of alerts used by this template.
For an ST Appliance, only four alert types are available: Adaptive Baseline Alert, Message Volume Alert, Search Filter Alert, and System Alert.
Manage Alert Templates
|
876. Select the Template Type from the drop-down menu. The options are: Email, Alert History, SNMP Trap, and Syslog. Once you select the template type, the default body for the selected type appears in the Body field.
7. Select a variable from the Variables list.
8. Once you select a variable, the actual string for the selected variable appears in the Variable Text field.
The valid variable string definitions are:
Table 23 Alert Template Variable Definitions
Variable Text Description
$ALERT_DESCRIPTION User-defined alert description.
$ALERT_ID A number specific to the alert type. For example, 050300 for Message Volume Alert.
$ALERT_LOG_SOURCES A list of log sources assigned to the alert.
$ALERT_NAME User-defined alert name.
$ALERT_TIME The time when alert was triggered.
$ALERT_TYPE Type of Alerts. For example, Message Volume Alert.
$ALERT_URL The URL that opens a page with alertable event details. Do not add any special characters after the $ALERT_URL.
$CUSTOM_EMAIL_SUBJECT A portion of email subject that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
$CUSTOM_STRING A portion of email body that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
$CUSTOM_SYSLOG_STRING A portion of alert syslog message that is pre-constructed based on the alert type. This field contains alert type-specific details.
You cannot change this field.
$FILTER Text of a search-filter that matched as part of Search-filter alert.
$FILTER_NAME A search-filter name. This filter is assigned to a Search-filter alert.
$HIGH_THRESHOLD The high threshold value that was exceeded during alert monitoring.
88
|
Chapter 5 Creating and Managing Alerts$LOG The log message that triggered the alert.
$LOG_SOURCES The log sources that triggered the alert.
$LOG_SOURCE_IPS IP addresses of log sources that triggered the alert.
$LOW_THRESHOLD The low threshold value that was crossed during alert monitoring.
$NUM_EVENTS Number of alertable events that happened during the reset time. The reset time temporarily suppresses alerts.
$PRIORITY The alert priority.
$RECIPIENT Email, syslog, and SNMP where alert was sent to.
$RESET_TIME Alert reset time. Reset time temporarily suppresses alerts.
$SNMP_STRING A portion of alert SNMP message that is pre-constructed based on the alert type. This field contains alert type-specific details.
You cannot change this field.
$SRC_APPLIANCE The Appliance that triggered alert.
$TIME_SPAN The time span value used in alert definition.
$TYPE_SYSLOG Alert type encoding as used in syslog alert message, i.e.
“MESSAGE_VOLUME_ALERT”, etc.
Table 23 Alert Template Variable Definitions
Variable Text Description
1. The $$ variable will be translated as $. For example, $$ALERT_DESCRIPTION will be displayed on alert history as $ALERT_DESCRIPTION.
2. If you define a number before the variable string, then only the specified number of characters will be displayed in the alert message when the variable length is longer. For example, if you specify the variable string as $10ALERT_DESCRIPTION, then only first 10 characters will be displayed for alert description. The remaining characters will be truncated.
3. Since some variables, i.e. $LOW_THRESHOLD and $HIGH_THRESHOLD, are not supported for a certain alert type, they may be displayed as empty or 0.
4. When some alerts cannot distinguish log sources that have some messages or do not have any messages, i.e. Message Volume Alert and VPN Statistics Alert, they may list all
Manage Alert Templates
|
899. The Maximum Message Length field displays the default maximum character length of the alert email subject and alert message that will be displayed. You can update this value anytime. If the length of the alert email subject and alert message is longer than the specified value, then the email subject will be truncated.
10. When you select the Template Type as Email, the Subject field appears with default subject. Add or change the subject description that will appear in the email. You must enter either email Subject or email Body. You cannot keep both these fields blank.
11. Add or change the default body of the selected template type in the Body field. You can select multiple variables. When adding, make sure you copy and paste the exact variable string (from Variable Text field) in the Body field.
12. Click the Add button to save the new template format. The newly added template will be displayed on the Manage Alert Templates page.
Viewing and Modifying an Alert Template
You can only view the default (system defined) alert templates. You cannot edit or delete the default alert templates. However, you can update or delete the custom (user defined) templates.
To view the default alert template format
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. Click on the default alert template name to view the format details. The following illustration displays the Network Policy Email template format.
To modify a custom alert template format
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. The Manage Alert Templates page appears.
3. Click on the template name to update the format details. You can only update the custom alert templates.
4. Make the necessary changes. Click the Update button to save the changes.
When the selected Template Type is Email, the default maximum character length is 65503.
You cannot have <subject>, </subject>, <body>, and </body> tags in the Subject or Body field.
90
|
Chapter 5 Creating and Managing Alerts5. If you wish to save the template format with a different name for a later use, update the template Name and click Save As.
Removing an Alert Template
You cannot delete the default alert templates. However, you can delete the custom alert templates.
To remove an alert template
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. Select the checkbox next to the template name and click the Remove selected template(s) button (that is located above the list on the top banner). You can only delete the custom templates.
3. Click Yes on the confirmation window to delete the selected alert template. The confirmation window lists all associated alert rules for the selected template.
The selected template will be removed from the Manage Alert Template list.
When you delete the selected template, all associated alert rules that are using this template will use the default templates.
Managing Alert Rules
|
91Managing Alert Rules
Manage Alert Rules lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, or remove alerts. You can configure alerts to generate SNMP events, syslog receiver and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP or syslog server for the default alerts.
The Manage Alert Rules page displays the following details:
Preconfigured System Alerts
System Alerts notify you when system health and status criteria exceed the acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:
• Email notifications sent to the Appliance admin user
• Priority set to high
• Default reset time of 300 seconds except (TCP Forward Falling Behind alert has a If you have the Manage Alerts privileges, you can modify or delete alerts created by other users.
Table 24 Manage Alert Rules Details
Element Description
Find Filter using the keywords. Enter the keywords in the Find field and press Enter.
Name Name of the alert.
Type Type of the alert.
Priority The defined priority of the alert.
Enabled Indicates whether the alert is active:
—You must assign a User and Alert Receiver for this alert.
—You must assign a Device for this alert.
Description Description of the alert.
92
|
Chapter 5 Creating and Managing AlertsAll these alert settings can be customized as needed.
Table 25 Preconfigured System Alerts
Alert Description Default
System Alert - CPU Temperature
The temperature of the Appliance CPU has exceeded the specified High Threshold
70 degrees celsius System Alert - Disk Usage The usage of the specified drive on the Appliance
has exceeded the specified High Threshold
80%
System Alert - Dropped Message
The number of messages dropped by the Appliance has exceeded the specified High Threshold
10 msg/sec
System Alert - Fail Over * A failover has occurred on the Appliance n.a.
System Alert - Migration Complete *
A data migration involving the Appliance is successfully complete
n.a.
System Alert - Network Connection Speed
The speed of the network connection for the Appliance has dropped below the specified Low Threshold
10-Half
System Alert - Network Interface
A problem occurred with the Appliance network interface
n.a.
System Alert - RAID Disk Failure
A failure occurred on an Appliance RAID disk n.a.
System Alert -
Synchronization Failure *
A failure occurred during log data synchronization on the Appliance
n.a.
For TIBCO Enterprise Virtual Aplpliance (EVA), only the following pre-configured system alerts are available:
• System Alert - Disk Usage
• System Alert - Dropped Message
• System Alert - Fail Over
• System Alert - Migration Complete
• System Alert - Synchronization Failure
Managing Alert Rules
|
93Adding a New Alert Rule
Adding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps, syslog receivers, and email user IDs).
Modifying an alert lets you change the same options available here for adding an alert.
To add an alert rule
1. Choose Alerts > Manage Alert Rules from the navigation menu.
2. Click the Add New button.
3. In the Type tab, select an alert type.
Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, Email Recipients, and Templates tabs are enabled.
When setting up an alert, do not pick search expressions with variables in them. Doing so treats variables as having a literal meaning.
Table 26 Alert Types
Alert Type Triggered when...
Adaptive Baseline Alert The messages/second rate rises above, or falls below, the nominal rate for the traffic.
Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.
Cisco PIX/ASA Messages Alert
The messages/second rate for a specific PIX/ASA message code is above or below specified rates.
Message Volume Alert The messages/second rate is above or below specified rates. If the user sets the “Zero Message Alert” checkbox, an alert is triggered only if zero messages are received within the timespan set.
Note: Zero Message Alerts are supported only on local devices, and not on device gropus spanning all LMIs.
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.
** System Alerts do not have a Devices tab.
94
|
Chapter 5 Creating and Managing AlertsNetwork Policy Alert * A network policy message is received with an Accept or Deny Policy Action.
The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.
Parsed Data Alert Parsed data meets certain conditions specified for the alert.
Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Parsed Data Alerts on page 97.
Pre-defined Search Filter Alert
A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.
Ratio Based Alert The specified message count is above or below a specified
percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”
The Appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.
System Alert ** An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.
By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.
VPN Connections Alert A VPN connection is denied access and/or disconnected.
The VPN Connections Alert is only applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
VPN Messages Alert Combinations of specific VPN message area, severity, and code.
This alert is applicable to Cisco VPN devices.
VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
Table 26 Alert Types (Cont’d)
Alert Type Triggered when...
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.
** System Alerts do not have a Devices tab.
Managing Alert Rules
|
954. Set up the alert in the General tab.
Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type. These steps include typical options:
a. Enter a Name for the alert.
b. Set the alert Priority. (High is the default.)
c. Select to Enable the alert. This enables the alert once you click the Add button. d. (Optional) Enter a specific SNMP OID to further define the alert.
For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.
For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.