Adding a New Alert Rule

Adding an alert rule involves various steps.

1. Choose Alerts > Manage Alert Rules from the navigation menu.
2. Click the Add New button.
3. In the Type tab, select an alert type.
   After you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, Email Recipients, and Templates tabs are enabled.

   Alert Types

   Alert Type	Triggered when...
   Adaptive Baseline Alert	The messages/second rate becomes more or less than the nominal rate for the traffic. Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.
   Cisco PIX/ASA Messages Alert	The messages/second rate for a specific PIX/ASA message code is greater or less than the specified rates.
   Message Volume Alert	The messages/second rate is greater or less than the specified rates. If the user sets the “Zero Message Alert” check box, an alert is triggered only if zero messages are received within the timespan set. Note: Zero Message Alerts are supported only on local devices, and not on device groups spanning all LogLogic LMI appliances.
   Network Policy Alert 1	A network policy message is received with an Accept or Deny Policy Action. The appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.
   Parsed Data Alert	Parsed data meets certain conditions specified for the alert. Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Creating Parsed Data Alerts.
   Pre-defined Search Filter Alert	A text search filter matches message fields. This uses one of the appliance's saved search filters: Use Words Use Exact Phrase Regular Expression
   Ratio Based Alert	The specified message count is greater or less than a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.” The appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.
   System Alert 2	An appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”. By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.
   VPN Connections Alert	A VPN connection is denied access and/or disconnected. The VPN Connections Alert is only applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
   VPN Messages Alert	Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN devices.
   VPN Statistics Alert	Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

   Note:

   • For the LogLogic ST Appliance, an Adaptive Baseline Alert, a Message Volume Alert, and a Pre-defined Search Filter Alert can be created, along with a new System Alert.
   • A LogLogic LX Appliance can create all types of Alerts.
   • The Pre-defined Search Filter is disabled if there are no search filters defined on the appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain words, phrase or a RegEx expression.
4. Set up the alert in the General tab.

   Options on the General tab vary depending on the alert type. These steps include typical options:

   1. In the Name field, enter a name for the alert.
   2. Set the alert Priority. The default value is High.
   3. From the Alert Criteria list, select the alert criteria.
   4. In the Reset Time field, enter the time in seconds after which the SNMP trap must be cleared.
   5. Click Enable Yes to enable the alert. This enables the alert after you click the Add button.
   6. (Optional) Enter a specific SNMP OID to further define the alert.
      For example, by defining this, your administrator or receiver knows that all alerts triggered with this SNMP OID originate from a specific device and alert.
   7. Enter a Description for the alert.
      Tip: Enter a name and description unique enough to easily identify the alert in a large list.
   8. Select the Enable Schedule check box to specify the time period for scheduling the alerts. Select the appropriate Time and Day box to specify the schedule. The selected box turns blue. To remove any particular time slot, click on the blue box.
   9. Select the Issue SNMP Trap Clear check box if you want the trap to be cleared after the issue is resolved.
      You can clear the SNMP trap for system alerts where a critical condition is reported, such as disk usage alerts; but not for other system alerts that are issued only for information, such as data migration complete alert.
      For example, a disk usage alert might trigger when the disk usage crosses a threshold. After issuing this alert, if the disk usage later decreases to below the threshold, an SNMP clear trap is issued. The trap can only be sent via SNMP and to the same receiver that is configured for the alert. The trap contains a text message indicating the condition being cleared and the name of the alert. A record of the trap appears on the Show Triggered Alerts page as well as in the log file sys.log.
5. Specify log sources for the alert in the Devices tab.

   All the log sources on the appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.

   For available devices where the Collector Domain was specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> is displayed. For example a windows machine with an IP address of 10.10.10.10 and collector domain is displayed as 1_10.10.10.10._windows.

   Select the Track all devices individually check box to generate independent alert messages for each selected device. The reset time tracks for the group as a whole and you can change alert properties using one alert for the device group.

   Note: When configuring any alerts (except for System Alerts) on logs transferred using LogLogic TCP, the alert reporting can be slightly less than real-time. Because LogLogic TCP sends data in chunks that the appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 60 seconds.
6. Specify SNMP trap receivers and syslog receivers for the alert in the Alert Receivers tab.

   You can define alerts for both SNMP traps, syslog receivers and users or for SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps. For more information about Alert Receivers, see the TIBCO LogLogic® Log Management Intelligence Administration Guide.

7. Specify people to receive alerts via email in the Email Recipients tab.
   Note: Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.

   You can define alerts for both users and SNMP traps or for users only. Available Users lists all the users available for the appliance.

   For more information about adding users, see the TIBCO LogLogic® Log Management Intelligence Administration Guide.

8. Select templates for each alert type from the drop-down menu. The Templates tab displays all available templates for each alert type: History, SNMP, Syslog, and Email.
 After you select the template, the format is displayed. 

By default, the Default option for the Alert Email Template is selected to send the default email message. In this case, from the Message Size drop-down, select Long or Short message forms. Select the Enable View Alert Detail from Email check box to provide additional alert detail in email. 
To define or modify template formats, see Manage Alert Templates.
9. The Rules tab is enabled only for Network Policy Alerts. The Rules tab allows for defining the Accept (or Deny) Source and Destination IP Address Ranges, Port Ranges, and Protocols. When adding a Network Policy alert, you must save the alert and then modify it to access the Rules tab. Use the Rules tab to define parameters for the alert. For example, define firewall policy rules you want to monitor for this alert. A single alert can have a single rule or multiple rules. You must add an alert before defining rules. You can define up to 1000 rules for each alert. If you leave the fields blank and add the rule, you are still defining an alert. The appliance accepts all values if you leave the fields blank.
10. Click the Add button to add the new alert to the appliance.
    Note: The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Management > Devices, Administration > Alert Receivers, or Management > Users tabs, respectively).