Defining Alarms for Collected Logs

 

Alarms are the heart of system management as they contain key information to potential problems or current problems. Administrators have to analyze each and every alarm and acknowledge the same. It is common in current business environment to receive large number of messages from various sources (Event log, Syslog, SNMP Trap) and administrator need to go through each and every message before deciding about the action.

 

Certain systems need privileged attention and it needs to be attended to with highest priority. For example, event message generated from the gateway system about the consecutive failure login attempts indicates a potential attack and Syslog message about large mail queue indicates degradation in mail server performance.

 

SapphireIMS provides a powerful capability for handling the events from heterogeneous sources in a unified manner. This feature is called as Alarm Unification. This lets the administrator configure a unification rule and the event logs, Syslog messages or traps can be converted into unified format (SapphireIMS alarms) using this feature. Administrators can just analyze the alarms and then decide upon the course of action they have to under-take.

 

To define the alarm unification rule follow the steps mentioned below 

1. Click the 'Settings' tab. In the 'Fault and Notifications' section click 'Alarm Unification'. This will list the currently configured rules if they are defined. Click ‘Add’ to define a new rule.  As shown below the alarm unification screen will be displayed

 

Alarm_Unification.gif

Alarm Unification

Sr. No

  Field Name

Description

 

    1

  Name

Enter the name of the alarm unification rule

 

    2

  Description

Brief description of the log filter rule

 

    3

  Input Alarm

Select if the input alarm is Event Log/ Syslog/ SNMP Traps/ Change Log/Application Log/Symantec Events

 

    4

  Host Filter

Specify the node filter range to be used while applying this unification rule

 

    5

  Next

Proceed with further definition of the rule

 

    6

  Cancel

Cancels the operation

 

 

2. Define the alarm unification rule parameters

Alarm_Unification_Rule-2.jpg

Alarm Rule Definition

 

 Sr. No

Field Name

Description

    1

Field

Select the field for which the filter condition needs to be applied. You can select Event Identifier value to generate alarm for a  specific event. If 'Input Alarm' is selected as 'Change Logs', the field drop down is populated with 'Hardware Change' and 'Software Change'

Note: You can select Inventory and Asset Reports based on 'Change log based on hardware' and 'Change log based on software'

 

     2

Value

Specify the value for the filter condition

 

     3

Condition (And) (OR)

Specify condition to be used in-case of multiple field filters

     4

ADD

Adds the condition specified in field and value as a sub rule

 

     5

Condition (And) (OR)

Multiple sub rules can be defined and this condition can be used as an operator between the sub rules. Refer to the above i  image

Example:

‘((Event type = warning) AND (Log File Type = Security)) is one sub rule and (Log File Type = Application) is another sub rule

The condition ORR is the condition between the two sub rules

 

     6

Next

Proceed with further definition of the rule

 

     7

Cancel

Cancels the operation

 

 

3. Define the output alarms for the unification rule

Alarm_Unification3.gif

Output Alarm Format

Sr. No

Field Name

Description

 

      1

Severity

Format of the output alarm to be generated

 

      2

Macro

Built in macros provided by the system. Select the macro that needs to be attached with the alarm message

      3

Alarm Message

Custom messages can be supplied to be part of the output Alarm message. Items in Macro field can be used to substitute the original alarm field values.

 

Alarm Correlation Settings

       4

Tolerance Count

Specify tolerance count if any to discount any occasional irrelevant spikes in the monitored parameter to be classified as an alarm. No alarm would be generated if the breaches happen within the tolerance count range. 0 minute represents infinite

 

       5

Suppress Consecutive Alerts

If any consecutive alarm gets generated within the specified time period, the alarm is suppressed. 0 minute means the suppression of alarms continues for infinite time till the active alarm is resolved

 

4. To define the notifications, select the notification profile. This definition will allow notification of an alarm whenever it is generated to the users as defined in the selected profile.

5. To define the service request parameters for the rule, select the service desk integration profile. This definition will allow auto submission of a service request into the SapphireIMS service desk module as defined in the selected profile.

6.  If any of the rules needs to be edited, then click the rule name listed in 'Alarm Unification' screen and it will display the edit screen

7. To delete a Rule, select the configuration listed in 'Alarm Unification' and click 'Delete'

important_icon_small.jpg Important: The rules will be taken into effect from the subsequent data collection and corresponding log analyzer alarms will get generated. The generated alarms can be viewed by clicking 'Fault' and 'Event Logs/Sys Logs/SNMP Traps'