Adding a New Alert Template Format

You can define a new alert template format by using the Add New Alert Format option.

Procedure

  1. Go to Alerts > Manage Alert Templates.
  2. On the Manage Alert Templates page, click the Add New button.
    The Add New Alert Format window is displayed.
  3. Define a template name in the Name field. This must be unique for each template.
  4. From the Alert Type list, select a type of alert.
    Note: For an ST appliance, only four alert types are available: Adaptive Baseline Alert, Message Volume Alert, Search Filter Alert, and System Alert.
  5. Select the Template Type from the list. The options are: Email, Alert History, SNMP Trap, and Syslog. Once you select the template type, the default text for the selected type appears in the Body field.
  6. Select a variable from the Variables list. Once you select a variable, the actual string for the selected variable appears in the Variable Text field.
    The valid variable string definitions are:
    Alert Template Variable Definitions
    Variable Text Description
    $ALERT_DESCRIPTION User-defined alert description.
    $ALERT_ID A number specific to the alert type. For example, 050300 for Message Volume Alert.
    $ALERT_LOG_SOURCES A list of log sources assigned to the alert.
    $ALERT_NAME User-defined alert name.
    $ALERT_TIME The time when alert was triggered.
    $ALERT_TYPE Type of Alerts. For example, Message Volume Alert.
    $ALERT_URL The URL that opens a page with alertable event details. Do not add any special characters after the $ALERT_URL.
    $CUSTOM_EMAIL_SUBJECT A portion of email subject that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
    $CUSTOM_STRING A portion of email body that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
    $CUSTOM_SYSLOG_STRING A portion of alert syslog message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
    $FILTER Text of a search-filter that matched as part of Search-filter alert.
    $FILTER_NAME A search-filter name. This filter is assigned to a Search-filter alert.
    $HIGH_THRESHOLD The high threshold value that was exceeded during alert monitoring.
    $LOG The log message that triggered the alert.
    $LOG_SOURCES The log sources that triggered the alert.
    $LOG_SOURCE_IPS IP addresses of log sources that triggered the alert.
    $LOW_THRESHOLD The low threshold value that was crossed during alert monitoring.
    $NUM_EVENTS Number of alertable events that happened during the reset time. The reset time temporarily suppresses alerts.
    $PRIORITY The alert priority.
    $RECIPIENT Email, syslog, and SNMP where alert was sent to.
    $RESET_TIME Alert reset time. Reset time temporarily suppresses alerts.
    $SNMP_STRING A portion of alert SNMP message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
    $SRC_APPLIANCE The appliance that triggered alert.
    $TIME_SPAN The time span value used in alert definition.
    $TYPE_SYSLOG Alert type encoding as used in syslog alert message, such as “MESSAGE_VOLUME_ALERT”.
    Note:
    1. The $$ variable is translated as $. For example, $$ALERT_DESCRIPTION is displayed on alert history as $ALERT_DESCRIPTION.
    2. If you define a number before the variable string, then only the specified number of characters are displayed in the alert message when the variable length is longer. For example, if you specify the variable string as $10ALERT_DESCRIPTION, then only first 10 characters are displayed for alert description. The remaining characters are truncated.
    3. Since some variables, such as $LOW_THRESHOLD and $HIGH_THRESHOLD, are not supported for a certain alert type, they may be displayed as empty or 0.
    4. When some alerts cannot distinguish log sources that have some messages or do not have any messages, such as Message Volume Alert and VPN Statistics Alert, they might list all assigned log sources in the $LOG_SOURCES variable.
  7. The Maximum Message Length field displays the default maximum character length of the alert email subject and alert message that is displayed. You can update this value anytime. If the length of the alert email subject and alert message is longer than the specified value, then the email subject is truncated.
    Note: When the selected Template Type is Email, the default maximum character length is 65503.
  8. When you select the Template Type as Email, the Subject field appears with a default subject. Change the subject if required. The Subject field is mandatory but the Body field is optional.
    Note: The Subject or Body fields cannot include <subject>, </subject>, <body>, or </body> tags.
  9. Add or change the default body of the selected template type in the Body field. You can select multiple variables. When adding, make sure you copy and paste the exact variable string (from Variable Text field) in the Body field.
  10. Click the Add button to save the new template format.

Result

The newly added template is displayed on the Manage Alert Templates page.