Skip to Content

Alert Counters screen

The Alert Counters screen can be accessed by clicking the Alerts tab at the top of the screen and then selecting Alerts. The purpose of this screen is to send messages back to the system when a specific counter is after (or before) a user specified limit, thereby correlating message rates. The Alerts facility can also open Ticket, discussed in BMC-Defender-Server-tickets. You can define and further correlate the alert messages. The Correlation Alerts screen is depicted in the following image.

image2019-3-22_11-55-23.png

Correlation Alerts provide an important way of correlating activity on the system and comprise a major function of the BMC Defender Server. Operators can add new alerts, or modify existing alerts, based upon any of the Counter values displayed on the various screens of the system. Alerts are discussed in Using-correlation-alerts.

Alert configuration items

When you click AddNew or Edit, BMC Defender Server displays an input form that allows you to create or modify the various alert parameters. Both admin and user type logins can add or modify BMC Defender Server alerts. These alert parameters are as follows:

  • System Counter Name—This drop-down menu lists all the thread titles and other counter names available for alerting. You select the particular thread or system counter whose threshold is continuously monitored.
  • Pin This Alert To Top—This drop-down menu appears only on the Edit screen and allows you to pin the alert to the top of the list. This allows you to keep track of particular alerts of interest. Each user can pin items without affecting other users.
  • Compare Function—This is the compare function to use in the threshold test. You can specify either greater than or equal to or less than or equal to, depending upon the nature of the alert.
  • Threshold—This is the threshold for the comparison, an integer number. The threshold must be in the range of 1 to 50 counts per interval (where the interval is specified further). This value works with the Auto-Learn function, and you can get a suggestion of thresholds (based upon message history) by clicking View Counter Threshold Hints.

  • Test Interval—This is the interval for the test, in seconds. When the counter exceeds the threshold counts per time interval, an alert is generated.

    Information
    Example

    If the compare function is GE, the threshold is 10, and the test interval is 60, then an alert is generated when more than 10 messages occur per minute.

  • Match Alert Time—This is an optional time range that you can use to suppress the generation of alerts, such as restricting alerts to working hours or a second shift. By default, the match time matches all times of the day.

    Warning

    Note

    More advanced schedules can be configured through the Alerts > Config > Alerts Schedule screen, discussed elsewhere.

  • Alert Message / Ticket Text—This is the message that is sent back to the BMC Defender Server message stream, and that also serves as the text of the ticket (if assigned to a user). The field includes a Suggest option that suggests an appropriate message based upon the system counter name, severity, compare function, and test interval.
  • Insert Variable—This input allows you to insert a variable into the Alert Message. You can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description.
  • Enable Auto-Learning—This input allows you to enable auto-learning. The auto-learn function automatically adjusts alert thresholds up or down based upon message history. For more information, see Auto-Learn-function.
  • Alert Facility—This is the syslog facility to be used when sending a message back to the message stream. The default value is Alert, but the operator can specify some other facility appropriate for the alert.
  • Alert Severity—This is the syslog severity to be used when sending a message back to the message stream and also identifies the severity of any ticket assigned to a user (as described herein).The value should indicate the severity of the alert condition, ranging from debug to emergency.
  • Assign Incident To User—This input causes a ticket to be opened on the system containing the Alert Message, assigned to the specified user. In addition to assigning a ticket to any BMC Defender Server user, the operator can assign tickets to arbitrary Ticket Users, defined in the Tickets > Config area of the program. When a ticket is opened, it can trigger specific actions, such as sending e-mail. For information about ticket groups, see Ticket-group-wizard.
  • Send Clear Severity—This input indicates that a Clear message is sent when the alert condition clears. You should normally set this value to disabled except in very specialized applications. (If you do not use this setting carefully, it can cause the alert to immediately be set again, causing a program loop.)

Related topic

Alerts-screens

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.0