488
edits
Incidents: Difference between revisions
m
no edit summary
No edit summary |
mNo edit summary |
||
| Line 11: | Line 11: | ||
Up to 1000 incidents will be remembered by the system and if this limit is exceeded the oldest incidents will be discarded. | Up to 1000 incidents will be remembered by the system and if this limit is exceeded the oldest incidents will be discarded. | ||
== | == Rule configuration == | ||
[[File:Incidents rules.png|thumb|600x600px|Rule configuration]] | [[File:Incidents rules.png|thumb|600x600px|Rule configuration]] | ||
Incident rules can be defined in the "Configuration of incident rules" tab in the menu "Generic -> Incidents". All changes to the rule configuration will only take affect after saving the current configuration by clicking on the save button at the bottom of the page. | Incident rules can be defined in the "Configuration of incident rules" tab in the menu "Generic -> Incidents". All changes to the rule configuration will only take affect after saving the current configuration by clicking on the save button at the bottom of the page. | ||
| Line 187: | Line 187: | ||
** packet_rate: The packet packets/s on average during the configured timespan. | ** packet_rate: The packet packets/s on average during the configured timespan. | ||
== | == Channel configuration == | ||
[[File:Incidents channels.png|thumb|600x600px|Channel configuration]] | [[File:Incidents channels.png|thumb|600x600px|Channel configuration]] | ||
Incidents can be reported on different channels. The configuration allows to add new channels so they can be selected in the rule configuration described above. | Incidents can be reported on different channels. The configuration allows to add new channels so they can be selected in the rule configuration described above. | ||
| Line 202: | Line 202: | ||
Some incidents cannot be configured via rules and you can choose to get those incidents also via email by enabling the settings at the lower part of the settings page. | Some incidents cannot be configured via rules and you can choose to get those incidents also via email by enabling the settings at the lower part of the settings page. | ||
== | == Burst incident settings == | ||
[[File:Incidents others.png|thumb|600x600px|Other incidents]] | [[File:Incidents others.png|thumb|600x600px|Other incidents]] | ||
Burst incidents with milli-second resolution can be generated when the interface throughput exceeds a configurable threshold. The incident contains a graph of traffic for that interface with some data points before and after the threshold has been exceeded depending on the measurement interval. A PCAP link for capturing from the packet ring buffer is shown. For further investigation of that incident, the button Use as global time range can be used to set the global range to the start and end of the incident graph (at least 5 seconds) so that all modules of the Allegro Network Multimeter show that time span. The incident generation can be configured as follows: | Burst incidents with milli-second resolution can be generated when the interface throughput exceeds a configurable threshold. The incident contains a graph of traffic for that interface with some data points before and after the threshold has been exceeded depending on the measurement interval. A PCAP link for capturing from the packet ring buffer is shown. For further investigation of that incident, the button Use as global time range can be used to set the global range to the start and end of the incident graph (at least 5 seconds) so that all modules of the Allegro Network Multimeter show that time span. The incident generation can be configured as follows: | ||
| Line 210: | Line 210: | ||
* '''Throughput cool-down period between two incidents in milliseconds''': Defines the time after an incident where no new incident is generated even if the threshold is exceeded. If this period is passed, throughput incidents could be generated again. | * '''Throughput cool-down period between two incidents in milliseconds''': Defines the time after an incident where no new incident is generated even if the threshold is exceeded. If this period is passed, throughput incidents could be generated again. | ||
== | == Occured incident view == | ||
This page shows up to the last 1000 incidents occurred on the system. The table can be filtered for specific severity levels, as well as for specific trigger sources by selecting the trigger from the drop down menu. | This page shows up to the last 1000 incidents occurred on the system. The table can be filtered for specific severity levels, as well as for specific trigger sources by selecting the trigger from the drop down menu. | ||
[[File:Incidents list filter.png|thumb|600x600px|Filter incidents by severity or trigger]] | [[File:Incidents list filter.png|thumb|600x600px|Filter incidents by severity or trigger]] | ||
| Line 219: | Line 219: | ||
Incidents can be deleted individually by clicking on the delete button next to the incident, or all incident can be deleted by clicking on the button on the top right of the page. | Incidents can be deleted individually by clicking on the delete button next to the incident, or all incident can be deleted by clicking on the button on the top right of the page. | ||
== | == Rule statistics == | ||
[[File:Incidents stats.png|thumb|600x600px|Statistics about rules]] | [[File:Incidents stats.png|thumb|600x600px|Statistics about rules]] | ||
This page shows graphs about how often each rule has been hit both in absolute numbers as well as relatively to how often the rule has been checked. | This page shows graphs about how often each rule has been hit both in absolute numbers as well as relatively to how often the rule has been checked. | ||
== | == Incident list per measurement modules == | ||
Since incidents are triggered by different measurement modules (as indicate by the prefix of the trigger name, like the mac or ip module), the list of incidents from that specific module can also be seen in the corresponding tab of the measurement module for quicker access. This per-module view only lists those incidents coming from that module, all other potential incidents are hidden and must be accessed in their corresponding module page, or in the global view in the "Generic -> Incident" menu. | Since incidents are triggered by different measurement modules (as indicate by the prefix of the trigger name, like the mac or ip module), the list of incidents from that specific module can also be seen in the corresponding tab of the measurement module for quicker access. This per-module view only lists those incidents coming from that module, all other potential incidents are hidden and must be accessed in their corresponding module page, or in the global view in the "Generic -> Incident" menu. | ||
== | == Limitations == | ||
Some technical limitations apply: | Some technical limitations apply: | ||
* continuousl checked triggers like "IP traffic" are only evaluated if there was at least one packet in the corresponding time interval. Therefore, rules check for zero packet count or throughput will never match.ys | * continuousl checked triggers like "IP traffic" are only evaluated if there was at least one packet in the corresponding time interval. Therefore, rules check for zero packet count or throughput will never match.ys | ||