183
edits
Incidents: Difference between revisions
m
Drop outdated firmware versions
No edit summary |
m (Drop outdated firmware versions) |
||
| Line 39: | Line 39: | ||
** Some attributes have an additional parameter, like a time span which defines how the attribute value is calculated. | ** Some attributes have an additional parameter, like a time span which defines how the attribute value is calculated. | ||
* Virtual link group: The rule can be limited to a selected [[Virtual Link Group functionality|virtual link group]] or to be applied for any group. Some triggers cannot be limited to a virtual link group so the configuration will be hidden. | * Virtual link group: The rule can be limited to a selected [[Virtual Link Group functionality|virtual link group]] or to be applied for any group. Some triggers cannot be limited to a virtual link group so the configuration will be hidden. | ||
* IP filter: Depending on the selected trigger, the rule can be limited to a specific IP address. | * IP filter: Depending on the selected trigger, the rule can be limited to a specific IP address. The IP filter can also be an IP subnet in the format IP/mask-length (Example: 10.0.0.0/8) | ||
* IP group: Depending on the selected trigger, the rule can be applied to an IP group instead of an individual IP address. | * IP group: Depending on the selected trigger, the rule can be applied to an IP group instead of an individual IP address. | ||
* Virtual link group, IP and IP filter can also be used inversely by using the != comparator | * Virtual link group, IP and IP filter can also be used inversely by using the != comparator | ||
* Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels". Up to ten channels can be selected so that the incident for this rule is reported on each channel. Also, no channel can be configured so the incident is only accessible on the web interface. | * Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels". Up to ten channels can be selected so that the incident for this rule is reported on each channel. Also, no channel can be configured so the incident is only accessible on the web interface. | ||
* Aggregation of recurring Incidents: Incidents are aggregated by default. This means the table only shows the number of incidents of the type and the timestamps of the first and the last incident. This can be disabled for most of the incidents, so that you are able to see every indent of the incident-type. | * Aggregation of recurring Incidents: Incidents are aggregated by default. This means the table only shows the number of incidents of the type and the timestamps of the first and the last incident. This can be disabled for most of the incidents, so that you are able to see every indent of the incident-type. | ||
* Time Profiles: | * Time Profiles: You are able to set a profile which defines the active time of an incident rule. | ||
* Traffic capturing | * Traffic capturing: If supported by the trigger, the rule can be configured to capture the network traffic triggering the rule, including some extra time before and after the incident. | ||
** Possible options: | ** Possible options: | ||
*** Disabled: capturing is disabled for this rule | *** Disabled: capturing is disabled for this rule | ||
| Line 369: | Line 369: | ||
=== Capture settings === | === Capture settings === | ||
It is possible to automatically capture traffic for occurred incidents. These global settings control where capture files are stored and the capturing itself can be enabled for each rule separately. | |||
The incident capture feature requires an active packet ring buffer since the packets are extracted from the buffer at the end of the incident period. | The incident capture feature requires an active packet ring buffer since the packets are extracted from the buffer at the end of the incident period. | ||
| Line 396: | Line 396: | ||
'''email''' Incidents will be sent to the email address configured in the [[Global settings]]. | '''email''' Incidents will be sent to the email address configured in the [[Global settings]]. | ||
'''kafka''' The incidents are sent to a topic on the configured Apache Kafka server | '''kafka''' The incidents are sent to a topic on the configured Apache Kafka server. The message is the same as for syslog. | ||
* Bootstrap Server: hostname/ip:port of a Kafka Broker or multiple Brokers separated by comma | * Bootstrap Server: hostname/ip:port of a Kafka Broker or multiple Brokers separated by comma | ||
* Protocol: Plaintext (no authentication, no encryption), SASL Paintext (Plain authentication, no encryption), SASL SSL (Plain authentication, TLS/SSL encryption) | * Protocol: Plaintext (no authentication, no encryption), SASL Paintext (Plain authentication, no encryption), SASL SSL (Plain authentication, TLS/SSL encryption) | ||
| Line 404: | Line 404: | ||
* Topic: The name of the topic into which the Incidents are sent. | * Topic: The name of the topic into which the Incidents are sent. | ||
'''snmp_trap''' Incidents will be sent to the configured SNMP trap receiver | '''snmp_trap''' Incidents will be sent to the configured SNMP trap receiver. A MIB file with the Allegro Network Multimeter SNMP trap definitions is available for download in the channel configuration dialog. | ||
* Version: Supported SNMP version of the trap receiver (SNMP v2c or SNMP v3) | * Version: Supported SNMP version of the trap receiver (SNMP v2c or SNMP v3) | ||
* Trap receiver (manager) hostname/IP: The trap receiver hostname or IP address | * Trap receiver (manager) hostname/IP: The trap receiver hostname or IP address | ||