Manage Alert Rules

From the Alerts > Manage Alert Rules page, you can define rules to detect unusual traffic on your network or detect appliance system anomalies.

You can add, modify, or remove alerts. You can configure alerts to generate SNMP events, syslog receiver and/or send an email notification when the alert rule is triggered. Each appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP or syslog server for the default alerts.
Note: If you have the Manage Alerts privileges, you can modify or delete alerts created by other users.

The Manage Alert Rules page displays the following information:

Field or Column Description
Find Filter using the keywords. Enter the keywords in the Find field and press Enter.
Name Name of the alert.
Type Type of the alert.
Priority The defined priority of the alert.
Enabled Indicates whether the alert is active:

—You must assign a User and Alert Receiver for this alert. 


—You must assign a Device for this alert.

Description Description of the alert.

Types of Alerts

The following types of alerts are available:

Alert Type Triggered when...
Adaptive Baseline Alert The messages/second rate becomes more or less than the nominal rate for the traffic.
Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.
Cisco PIX/ASA Messages Alert The messages/second rate for a specific PIX/ASA message code is greater or less than the specified rates.
Message Volume Alert The messages/second rate is greater or less than the specified rates. If the user sets the “Zero Message Alert” check box, an alert is triggered only if zero messages are received within the timespan set.
Note: Zero message alerts are supported only on local devices, and not on device groups spanning all LogLogic LMI appliances.
Network Policy Alert A network policy message is received with an Accept or Deny Policy Action.

The appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.

Note: The Rules tab is available for Network Policy Alerts, and is accessible only after the new alert is initially saved.
Parsed Data Alert The parsed data meets certain conditions specified for the alert.

Parsed data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Creating Parsed Data Alerts.

Pre-defined Search Filter Alert A text search filter matches message fields. This uses one of the search filters saved on the appliance:
  • Use Words
  • Use Exact Phrase
  • Regular Expression

The pre-defined search filter is disabled if there are no search filters defined on the appliance. To create a pre-defined search filter, use Search Filters to add the filter. A search filter for an alert can contain words, phrase or a RegEx expression.

Ratio Based Alert The specified message count is greater or less than a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”

The appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.

System Alert
Note: The Devices tab is not available for system alerts.
An appliance system criterion is exceeded. For example, “Disk usage exceeds 80%”.

By default, the priority of system alerts is high. You can change it to medium or low if needed.

See also: Preconfigured System Alerts

VPN Connections Alert A VPN connection is denied access and/or disconnected.

The VPN Connections Alert is only applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

VPN Messages Alert Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN devices.
VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
Note:
  • For the LogLogic ST Appliance, an Adaptive Baseline Alert, a Message Volume Alert, and a Pre-defined Search Filter Alert can be created, along with a new System Alert.
  • A LogLogic LX Appliance can create all types of Alerts.