Adding a New Alert Rule

Adding an alert to the appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps, syslog receivers, and email user IDs).

Modifying an alert lets you change the same options as those for adding an alert.
Warning: When setting up an alert, do not pick search expressions that include variables. Doing so treats variables as having a literal meaning.
The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed on the following pages and are automatically present when enabled again:
  • Log sources: Management > Devices
  • Receivers: Administration > Alert Receivers
  • Recipients: Management > Users

Procedure

  1. Go to Alerts > Manage Alert Rules.
  2. Click the Add New button.
  3. In the Type tab, select an alert type. See Types of Alerts.
    After you select an alert type, the General tab for that alert type automatically appears; and the Devices, Alert Receivers, Email Recipients, and Templates tabs are enabled.
  4. On the General tab, set up the alert.
    Options on the General tab vary depending on the alert type. The following table describes typical options:
    Field Description
    Name Alert name
    Priority Alert priority

    Default value: High

    Alert Criteria Alert criteria

    This field is available only for a System Alert.

    Reset Time The time in seconds after which the SNMP trap must be cleared
    Enable Click Yes to enable the alert. The alert is enabled after you click the Add button.
    (Optional) SNMP OID Enter a specific SNMP OID to further define the alert.

    For example, by defining this, your administrator or receiver knows that all alerts triggered with this SNMP OID originate from a specific device and alert.

    Description Alert description
    Tip: Enter a name and description unique enough to easily identify the alert in a large list.
    Enable Schedule Select the check box to specify the time period for scheduling the alerts. Select the appropriate Time and Day boxes to specify the schedule. The selected box turns blue.

    To remove a time slot, click the blue box.

    Issue SNMP Trap Clear Select the check box to clear the trap after the issue is resolved.

    You can clear the SNMP trap for system alerts where a critical condition is reported, such as disk usage alerts; but not for other system alerts that are issued only for information, such as data migration complete alert.

    For example, a disk usage alert might trigger when the disk usage crosses a threshold. After issuing this alert, if the disk usage later decreases to below the threshold, an SNMP clear trap is issued. The trap can only be sent via SNMP and to the same receiver that is configured for the alert. The trap contains a text message indicating the condition being cleared and the name of the alert. A record of the trap appears on the Show Triggered Alerts page as well as in the log file sys.log.

  5. On the Devices tab, specify log sources for the alert.
    All the log sources on the appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.
    For available devices where the Collector Domain was specified in LogLogic Universal Collector the following format is displayed:
    <collector domainid>_<device IP>_<devicetype>
    For example, a Windows machine with an IP address of 10.10.10.10 and collector domain is displayed as 1_10.10.10.10._windows.

    Select the Track all devices individually check box to generate independent alert messages for each selected device. The reset time tracks for the group as a whole and you can change alert properties using one alert for the device group.

    Note: When configuring an alert (except for System Alerts) on logs transferred using LogLogic TCP, the alert reporting can be slightly slower than real-time. Because LogLogic TCP sends data in chunks that the appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 60 seconds.
  6. On the Alert Receivers tab, specify SNMP trap receivers and syslog receivers for the alert.
    You can define alerts for both SNMP traps and for syslog receivers and users; or only for SNMP traps. The Alert Receivers tab lists all the available traps and syslog for the appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps. For more information about Alert Receivers, see TIBCO LogLogic® Log Management Intelligence Administration.
  7. On the Email Recipients tab, specify people who should receive alerts via email.
    1. Select templates for each alert type from the list. The Templates tab displays all available templates for each alert type:
      • History
      • SNMP
      • Syslog
      • Email
      After you select the template, the format is displayed. To define or modify template formats, see Adding a New Alert Template Format.
    2. By default, the Default option for the Alert Email Template is selected to send the default email message. In this case, from the Message Size list, select Long or Short message forms.
    3. Select the Enable View Alert Detail from Email check box to provide additional alert detail in email. The email includes a link that you can click to open the Alert Notification page on the LogLogic LMI GUI.
      Note:
      • The size of email messages that include an alert is limited to 1024 bytes. Any additional alert text is truncated.
      • If a LogLogic LMI session is open in a browser and then you click the link in an alert email received, you might have to log in again in a newer session. After logging in to the newer session, you are logged out of the earlier LogLogic LMI sessions to maintain access security.
    You can define alerts for both users and SNMP traps; or only for users. Available Users lists all the users available for the appliance. For information about adding users, see TIBCO LogLogic® Log Management Intelligence Administration.
  8. The Rules tab is enabled only for Network Policy Alerts. When adding a Network Policy alert, you must save the alert and then modify it to access the Rules tab. From the Rules tab, you can define the Accept (or Deny) Source and Destination IP Address Ranges, Port Ranges, and Protocols parameters for the alert. For example, define firewall policy rules you want to monitor for this alert. A single alert can have a single rule or multiple rules. You must add an alert before defining rules. You can define up to 1000 rules for each alert. If you leave the fields blank and add the rule, you are still defining an alert. The appliance accepts all values if you leave the fields blank.
  9. Click the Add button to add the new alert to the appliance.