115
edits
Incidents: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 40: | Line 40: | ||
|- | |- | ||
|mac_traffic | |mac_traffic | ||
| | |This trigger is checked continuously for each active MAC address. The update interval is defined by the timespan parameter of the attributes. | ||
|- | |- | ||
|mac_new_address | |mac_new_address | ||
|checked once when a new MAC address appears | |This trigger is checked once when a new MAC address appears for the first time. | ||
|- | |- | ||
|mac_new_l7_protocol | |mac_new_l7_protocol | ||
|checked when a MAC address uses a l7 protocol for the first time | |This trigger is checked when a MAC address uses a l7 protocol for the first time. | ||
|- | |- | ||
|arp_ip_mac_changed | |arp_ip_mac_changed | ||
| | |This trigger is checked on an ARP response and MAC address changed for a requested IP. | ||
|- | |- | ||
|ip_flow_end | |ip_flow_end | ||
| | |This trigger checks the attributes whenever an IP flow ended. | ||
|- | |- | ||
|ip_traffic | |ip_traffic | ||
| | |This trigger is checked continuously for each active IP or IP group. The update interval is defined by the timespan parameter of the attributes. | ||
|- | |- | ||
|ip_new_local_ip | |ip_new_local_ip | ||
|checked once for each new IP | |This trigger is checked once for each new local IP. | ||
|- | |- | ||
|ip_new_local_l7_protocol | |ip_new_local_l7_protocol | ||
|checked once for each new l7 protocol used by | |This trigger is checked once for each new l7 protocol used by a local IP. | ||
|- | |- | ||
|ip_local_ip_multiple_macs | |ip_local_ip_multiple_macs | ||
| | |This trigger is checked on each new flow of a local IP address and more than one MAC address uses this IP. | ||
|- | |- | ||
|ip_tcp_handshake | |ip_tcp_handshake | ||
|checked after successful TCP | |This trigger is checked after successful TCP handshake. | ||
|- | |- | ||
|qos_traffic | |qos_traffic | ||
| | |This trigger is checked continuously for each active QoS class. The update interval is defined by the timespan parameter of the attributes. | ||
|- | |- | ||
|dns_server_not_responding | |dns_server_not_responding | ||
|checked when a DNS server is not responding for some time | |This trigger is checked when a DNS server is not responding for some time. | ||
|- | |- | ||
|sip_call_end | |sip_call_end | ||
| | |This trigger is checked when a SIP call ended. | ||
|- | |- | ||
|global_interface_status_change | |global_interface_status_change | ||
|checked when the status of an interfaces changes | |This trigger is checked when the status of an interfaces changes. | ||
|- | |- | ||
|global_interface_speed_change | |global_interface_speed_change | ||
|checked when the speed of an interfaces changes | |This trigger is checked when the speed of an interfaces changes. | ||
|- | |- | ||
|global_interface_speed_mismatch | |global_interface_speed_mismatch | ||
|checked when the status or speed of an interfaces changes and mismatches the speed of corresponding interface of a link | |This trigger is checked when the status or speed of an interfaces changes and mismatches the speed of corresponding interface of a link. | ||
|- | |- | ||
|global_traffic | |global_traffic | ||
| | |This trigger is checked continuously for the total traffic of the device. The update interval is defined by the timespan parameter of the attributes. | ||
|} | |} | ||
=== Channel configuration === | ==== 1.3. Available attributes ==== | ||
* mac_traffic | |||
** broadcast_packet_rate: The attribute is the number of packets per second on average over the configured timespan for MAC broadcast packets. | |||
* mac_new_address | |||
** since_start_time: This is number of seconds after packet processing start when the MAC address appeared. This is useful to only report new MAC address after some learning time. | |||
* mac_new_l7_protocol | |||
** since_start_time: This is number of seconds after packet processing start when the MAC address appeared. This is useful to only report new MAC address after some learning time. | |||
* arp_ip_mac_changed | |||
** time_since_last_mac: This is number of seconds between changed MAC addresses. If, for examples, dynamic IP assignment is used, changing MAC addresses is normal so the test can be limited to only a certain amount of time. | |||
* ip_flow_end | |||
** total_packets: The total number of packets seen for both directions of the flow. | |||
** total_bytes: The total number of bytes seen for both directions of the flow. | |||
** tcp_handshake_time: The TCP handshake time. | |||
** percent_transmissions: The amount of TCP retransmission as a percentage of the total bytes. | |||
** duration: The time between first and last packet of the flow. | |||
* ip_traffic | |||
** throughput: The throughput bandwidth in bit/s on average during the configured timespan. | |||
** total_packets: The number of packets seen in the configured timespan. | |||
** total_bytes: The number of bytes seen in the configured timespan. | |||
** retransmission_ratio: The number of zero window packets seen in the configured timespan. | |||
** zero_window_packets: The number of zero window packets seen in the configured timespan. | |||
* ip_new_local_ip | |||
** since_start_time: This is number of seconds after packet processing start when the MAC address appeared. This is useful to only report new MAC address after some learning time. | |||
* ip_new_local_l7_protocol | |||
** since_start_time: This is number of seconds after packet processing start when the MAC address appeared. This is useful to only report new MAC address after some learning time. | |||
* ip_local_ip_multiple_macs | |||
** mac_count: The number of different MAC address for the corresponding IP address. | |||
* ip_tcp_handshake | |||
** handshake_time: The TCP handshake time between the first SYN packet the ACK packet for the SYN/ACK packet of the server. | |||
* qos_traffic | |||
** throughput: The throughput bandwidth in bit/s on average during the configured timespan. | |||
** total_packets: The number of packets seen in the configured timespan. | |||
** total_bytes: The number of bytes seen in the configured timespan. | |||
* dns_server_not_responding | |||
** time_since_first_unanswered_request: This is the time span between when the trigger is checked and the first DNS request that has not been answered by the DNS server. | |||
* sip_call_end | |||
** duration: The call duration. | |||
** status: The call status code (a three digit number, like 200 for Success) | |||
** mos: The average MOS quality value of the call, using the minimum of both call sides. | |||
** percent_loss: The percentage of RTP packet loss for the call, accounting packets from both directions. | |||
** jitter: The average jitter of the call, using the maximum value of both call sides. | |||
** total_packets: The number of packets seen in the configured timespan. | |||
** total_bytes: The number of bytes seen in the configured timespan. | |||
* global_interface_status_change | |||
** interface_status: 0 means interface is down, 1 means interface is up. | |||
* global_interface_speed_change | |||
** interface_speed: The current speed of the interface in mbit/s. | |||
* global_interface_speed_mismatch | |||
** link_speed_difference: This is the absolute difference between the speeds of both interface of a link in mbit/s. | |||
* global_traffic | |||
** throughput: The throughput bandwidth in bit/s on average during the configured timespan. | |||
** packet_rate: The packet packets/s on average during the configured timespan. | |||
=== 2. Channel configuration === | |||
TODO | TODO | ||
=== Other incidents settings === | === 3. Other incidents settings === | ||
TODO | TODO | ||
=== Occured incident view === | === 4. Occured incident view === | ||
TODO | TODO | ||
=== Rule statistics === | === 5. Rule statistics === | ||
TODO | TODO | ||