Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Defining correlation alerts and tickets

Once a thread is created, you can optionally add an alert threshold for the thread counter. (The thread counter appears at the right of the thread title on the Correlation > Threads screen.)

Alerts compare correlation counters to limits and then send syslog messages (of the your selection) back to BMC Defender Server. Alerts can also open tickets on the system, assigning these tickets to specific users and groups. The procedure for creating an alert and ticket is as follows:

  1. Log on to the BMC Defender Server system and click Alerts tab at the top of the screen. This displays a list of current alerts on the system. You might sort these alerts, or filter the alerts to find keywords. Any alert that is set is depicted as red. Any alert that is green is not currently set. The current threshold and current value for the alert is displayed next to the alert state color.
  2. To add a new alert, click Wizard in the upper right of the screen. This starts the Add New Alert wizard, that guides you through the process of adding a new alert to the system. (More experienced users might simply click AddNew to configure a new Alert.)
  3. The Add New Alert wizard queries you for the Counter Name that is listed as a drop down menu. You can select any thread, as well as various other counters on the system. When a new thread is added to the system, it appears in this drop down list.
  4. The Add New Alert wizard queries you for the compare function, threshold and test interval. You can click on the View Counter Threshold Hints hyperlink to see recommendations (and then click back to return to the wizard). Or, in the absence of any data or other requirement, you can accept the default value of 3 per 60 seconds, and the Auto-Learn function makes adjustments accordingly.
  5. The Add New Alert wizard queries you for a facility, severity, and whom to assign the ticket to. Optionally, adjust the severity of the alert. In the absence of any other requirement, use the other defaults for the screen, that is, assign the ticket to yourself.
  6. The Add New Alert wizard queries you for an alert message. This is the message that is sent to the BMC Defender Server and is also the text that appears in the ticket message. The wizard always suggests an appropriate message. However, you might further tailor this message by adding or deleting text. (You can also make these and other adjustments after the alert is created.)
  7. Finish the wizard. The alert appears at the top of the alert list, and is pinned. You can edit the alert by Edit, including unpinning the alert.

Once the alert is created, you can test the alert and verify it correctly opens a ticket. This can be accomplished using the More menu in the upper right corner of the display. Select Send Msg from the menu. (This tool is also available at the top of the Messages > Search screen.)

Using the Send syslog Message tool, furnish a test message that matches the thread (or other system counter) specified in Step 3.

Note

You can specify the source device for the message through the Additional Options of the Send Syslog Message screen. Send the message until the threshold specified in Step 4 is achieved. The alert turns red and a ticket is opened, that appears in the Tickets > Open tab of the system.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*