Incidents: Difference between revisions
Jump to navigation
Jump to search
Access restrictions were established for this page. If you see this message, you have no access to this page.
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
Occurred incidents can be seen in the web interface, and additionally reporting via email or syslog is possible too. | Occurred incidents can be seen in the web interface, and additionally reporting via email or syslog is possible too. | ||
=== Rule configuration === | === 1. Rule configuration === | ||
Incident rules can be defined in the "Configuration of incident rules" tab in the menu "Generic -> Incidents". All changes to the rule configuration will only take affect after saving the current configuration by clicking on the save button at the bottom of the page. | |||
The page shows a table containing the existing rules and their configuration. | |||
Each existing rule can be modified by clicking on the pencil symbol, or deleted by clicking on the "minus" symbol. | |||
New rules can be added by clicking on the "Add rule" button. A dialog appears allowing for configuration of the rule. The same dialog is used when modifying an existing rule. | |||
==== 1.1. Add/modify a rule ==== | |||
A rule is defined by the following settings: | |||
* Rule text: This is an arbitrary text describing the purpose of the rule. This text is shown in the incident list and email/syslog ouptut. | |||
* Severity: three different severity values "low", "medium", and "high" can be used to group more important and less important incidents. Reporting channels can be configured to only report incidents of a minimum severity level. A rule can also be disabled by choosing the severity level "disabled". It will not be evaluated and can be enabled later at will. | |||
* Trigger: The trigger defines when a rule is evaluated. For each available trigger, a description is shown next to it giving more details about the trigger. Some triggers are evaluated at a very specific time, like when a VoIP call ends, or are evaluated regularly like for throughput triggers of IP traffic which can be configured to be checked once very minute or hour or so. See list below for a detailed description of the available triggers. | |||
* Attributes: Attributes are used to make actual comparison of expected values vs. actual values. | |||
** Each trigger has a different set of attributes which can be checked for, and some triggers don't need to have an attribute at all. See list below for a detailed description of the available attributes | |||
** Up to four attributes can be added by clicking on the "Add attribute" button. | |||
** Multiple attributes must all match at the same time to let the rule create an incident. | |||
** Each attribute can be compared to a specific value, so that the actual value is lower, equal, or greater than a defined value. | |||
** Some attributes have an additional parameter, like a timespan which defines how the attribute value is calculated. | |||
* Virtual link group: The rule can be limited to a selected [[Virtual Link Group functionality|virtual link group]] or to be applied for any group. Some triggers cannot be limited to a virtual link group so the configuration will be hidden. | |||
* IP filter: Depending on the selected trigger, the rule can be limited to a specific IP address. | |||
* IP group: Depending on the selected trigger, the rule can be apply to IP group instead of individual IP address. | |||
* Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels". Up to ten channels can be selected so that the incident for this rule is reported on each channel. Also, no channel can be configured so the incident is only accessible on the web interface. | |||
==== 1.2. Available triggers ==== | |||
{| class="wikitable" | |||
|+ | |||
!Trigger name | |||
!Description | |||
|- | |||
|mac_traffic | |||
|continuous check of attributes for each active MAC address | |||
|- | |||
|mac_new_address | |||
|checked once when a new MAC address appears | |||
|- | |||
|mac_new_l7_protocol | |||
|checked when a MAC address uses a l7 protocol for the first time | |||
|- | |||
|arp_ip_mac_changed | |||
|check MAC address for each ARP response for an IP | |||
|- | |||
|ip_flow_end | |||
|check attributes when a flow ends | |||
|- | |||
|ip_traffic | |||
|continuous check of attributes for each active IP or IP group | |||
|- | |||
|ip_new_local_ip | |||
|checked once for each new IP | |||
|- | |||
|ip_new_local_l7_protocol | |||
|checked once for each new l7 protocol used by an IP | |||
|- | |||
|ip_local_ip_multiple_macs | |||
|check for multiple MAC addresses for each new flow of an IP | |||
|- | |||
|ip_tcp_handshake | |||
|checked after successful TCP handshaked | |||
|- | |||
|qos_traffic | |||
|continuous check of attributes for each active QoS class | |||
|- | |||
|dns_server_not_responding | |||
|checked when a DNS server is not responding for some time | |||
|- | |||
|sip_call_end | |||
|checks attributes when a SIP call ended | |||
|- | |||
|global_interface_status_change | |||
|checked when the status of an interfaces changes | |||
|- | |||
|global_interface_speed_change | |||
|checked when the speed of an interfaces changes | |||
|- | |||
|global_interface_speed_mismatch | |||
|checked when the status or speed of an interfaces changes and mismatches the speed of corresponding interface of a link | |||
|- | |||
|global_traffic | |||
|continuous check of attributes for the total traffic of the device | |||
|} | |||
=== Channel configuration === | === Channel configuration === | ||
Revision as of 16:12, 3 February 2021
<accesscontrol></accesscontrol>
Incidents are just to alarm the user when configured events appear, usually for traffic based rules, but also for system-specific events.
The incident feature allows to define rules which are checked on the configured trigger point, like when a connection ends, a SIP call ends, or for checks on ongoing traffic. When such a trigger hits, configurable traffic attributes will be checked and if all attributes of a rule matches, an incident is created.
Occurred incidents can be seen in the web interface, and additionally reporting via email or syslog is possible too.
1. Rule configuration
Incident rules can be defined in the "Configuration of incident rules" tab in the menu "Generic -> Incidents". All changes to the rule configuration will only take affect after saving the current configuration by clicking on the save button at the bottom of the page.
The page shows a table containing the existing rules and their configuration.
Each existing rule can be modified by clicking on the pencil symbol, or deleted by clicking on the "minus" symbol.
New rules can be added by clicking on the "Add rule" button. A dialog appears allowing for configuration of the rule. The same dialog is used when modifying an existing rule.
1.1. Add/modify a rule
A rule is defined by the following settings:
- Rule text: This is an arbitrary text describing the purpose of the rule. This text is shown in the incident list and email/syslog ouptut.
- Severity: three different severity values "low", "medium", and "high" can be used to group more important and less important incidents. Reporting channels can be configured to only report incidents of a minimum severity level. A rule can also be disabled by choosing the severity level "disabled". It will not be evaluated and can be enabled later at will.
- Trigger: The trigger defines when a rule is evaluated. For each available trigger, a description is shown next to it giving more details about the trigger. Some triggers are evaluated at a very specific time, like when a VoIP call ends, or are evaluated regularly like for throughput triggers of IP traffic which can be configured to be checked once very minute or hour or so. See list below for a detailed description of the available triggers.
- Attributes: Attributes are used to make actual comparison of expected values vs. actual values.
- Each trigger has a different set of attributes which can be checked for, and some triggers don't need to have an attribute at all. See list below for a detailed description of the available attributes
- Up to four attributes can be added by clicking on the "Add attribute" button.
- Multiple attributes must all match at the same time to let the rule create an incident.
- Each attribute can be compared to a specific value, so that the actual value is lower, equal, or greater than a defined value.
- Some attributes have an additional parameter, like a timespan which defines how the attribute value is calculated.
- Virtual link group: The rule can be limited to a selected virtual link group or to be applied for any group. Some triggers cannot be limited to a virtual link group so the configuration will be hidden.
- IP filter: Depending on the selected trigger, the rule can be limited to a specific IP address.
- IP group: Depending on the selected trigger, the rule can be apply to IP group instead of individual IP address.
- Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels". Up to ten channels can be selected so that the incident for this rule is reported on each channel. Also, no channel can be configured so the incident is only accessible on the web interface.
1.2. Available triggers
| Trigger name | Description |
|---|---|
| mac_traffic | continuous check of attributes for each active MAC address |
| mac_new_address | checked once when a new MAC address appears |
| mac_new_l7_protocol | checked when a MAC address uses a l7 protocol for the first time |
| arp_ip_mac_changed | check MAC address for each ARP response for an IP |
| ip_flow_end | check attributes when a flow ends |
| ip_traffic | continuous check of attributes for each active IP or IP group |
| ip_new_local_ip | checked once for each new IP |
| ip_new_local_l7_protocol | checked once for each new l7 protocol used by an IP |
| ip_local_ip_multiple_macs | check for multiple MAC addresses for each new flow of an IP |
| ip_tcp_handshake | checked after successful TCP handshaked |
| qos_traffic | continuous check of attributes for each active QoS class |
| dns_server_not_responding | checked when a DNS server is not responding for some time |
| sip_call_end | checks attributes when a SIP call ended |
| global_interface_status_change | checked when the status of an interfaces changes |
| global_interface_speed_change | checked when the speed of an interfaces changes |
| global_interface_speed_mismatch | checked when the status or speed of an interfaces changes and mismatches the speed of corresponding interface of a link |
| global_traffic | continuous check of attributes for the total traffic of the device |
Channel configuration
TODO
Other incidents settings
TODO
Occured incident view
TODO
Rule statistics
TODO