Open topic with navigation

Real-Time Alerts

This section describes Real-Time Alerts. For information on Saved Search Alerts, see Saved Search Alerts. For a description of the types of alerts, see Logger Alert Types.

You can setup real-time alerts that will be triggered by specified events or event patterns, and optionally, send notifications to previously configured destinations such as an email address or an SNMP server. Event patterns are specified events that occur above a particular frequency (a threshold number of events in a specified period). For example, you could create alert that is generated when five events from a specific device contain the word “unauthorized” within a five-minute interval. Additionally, alerts can also be generated for internal events such as storage capacity warnings or, on some Logger Appliance models, CPU temperature warnings.

To create an Alert, you will need to specify a query or filter, event aggregation values (Match count and Threshold), and (optional) one or more notification destinations. If the new Alert will send notifications to an email, SNMP, ESM Destination, Transformation Hub Destination, or Syslog Destination, set up the destination before creating the Alert. See Static Routes, Receiving Alert Notifications, and Setting Up Alert Notifications for more information.

Audit events for alerts are only written to the Internal Storage Group and not forwarded to ESM or Transformation Hub Destinations by default. If you need to forward these audit events to ESM, please contact customer support for assistance.

Note: This change only applies to audit events generated for alerts; other audit events are can be sent to Transformation Hub or ESM Destinations.

Logger comes with predefined filters with commonly needed event patterns that enables you to quickly create the alerts you need. You can also create new filters to find specific event patterns of interest.

To see a list of the configured Real-Time Alerts, go to Configuration > Data> Alerts. To add a real-time alert, See Creating Real-Time Alerts.

To enable or disable a Real-Time Alert:

  1. Open the Configuration > Data menu and click Realtime Alerts.

  2. Locate the Alert that you want to disable or enable. Click the associated icon ( or ) to enable or disable the Alert.

    Note: A maximum of 25 alerts can be enabled at one time. To enable an additional alert, you will need to disable a currently enabled alert.

    If you have the maximum number of alerts enabled, and the receiver EPS is higher than 30k, you may see some slowing down in the receiver EPS to prevent slower search times.

To edit a Real-Time Alert:

  1. Open the Configuration > Data menu and click Realtime Alerts.

  2. Locate the Alert that you want to edit and click the Edit icon () on that row.

    A screen similar to the on in Creating Real-Time Alerts is displayed. Only alphanumeric characters can be used in an Alert name.

To remove a Real-Time Alert:

  1. Open the Configuration > Data menu and click Realtime Alerts.
  2. Locate the Alert that you want to remove and click the Remove icon () on that row.
  3. Confirm the deletion by clicking OK, or click Cancel to retain the Alert.

To view triggered alerts:

See Viewing Alerts.

Concept Link IconSee Also