Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Using counter alerts

The Alert component of the system is central to the discussion of BMC Defender Server and correlation applications. This component, configured in the Alerts > Counters tab of the system, accepts a system counter, a counter threshold, and a test interval as input.

The alert facility works with a wide selection of internal BMC Defender Server system counters, allowing you to detect when system counters change or exceed certain rates of change. The thread counters are commonly used as the target of alerts, however you can monitor other counters (such as user name and device counters) and expand the role of alerts on the system to include many types of system data.

The alerting component has two distinct outputs: a syslog message and an optional ticket that is either assigned to you or a group.

A syslog message is always sent by the alerting component whenever a threshold is violated. This message is fed back into the list of messages for further correlation. The alert message, that is completely under your control, describes the over-limit situation and can be used to run an action program, or can be used to increment more counters that are further alarmed.

 A ticket can be optionally opened for any system user, or a ticket Group whenever a threshold is violated. This provides a way of monitoring and dispatching alerts beyond simple logging of alert conditions and can incorporate workflow features and incident management policies.

Section summary and additional notes about counter alerts

  • Alerts operate on counter rates for system counters. These counters can be user defined threads, as well as a variety of other counters on the system.
  • When an alert is set, it sends a syslog message back to BMC Defender Server with a user-defined message. The system can further correlate this message.
  • When an alert is set, it can optionally open a ticket and assign it to a system user. This keeps track of significant events on the system and creates actionable data for operations.
  • You can see the recommended thresholds for alerts by clicking the Alert Threshold Hints link on the Alert Edit screen. These thresholds hints are derived from message rates and standard deviation intervals from the message rate average.
  • The recommended thresholds for alerts can be automatically applied to alerts using the BMC Defender Server Auto-Learn function, that adjusts alert thresholds up or down each night, shortly after midnight, for a specified defined period of days (by default 10 days after installation or creation of a new alert).
  • Alert formulas are user-defined combinations of counters that are combined by math equations. This permits multiple counters to be combined into a single counter, possibly weighing and scaling each counter as part of the formula.

This section provides information about the following topics:

Related topic

Out-of-the-box-counter-alerts

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*