Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Adding or editing counter alerts

Correlation alerts are an important BMC Defender Server function, providing an important way of correlating activity on the system. For information about adding new alerts, or modifying existing alerts, based on any of the counter values on the system screens, see Using-counter-alerts.

You can use the Alerts > Counters tab to perform the following actions:

  • Correlating message rates by sending messages back to the system when a specific counter exceeds a user-defined threshold
  • Opening tickets. For more information, see BMC-Defender-Server-tickets.
  • Defining and further correlating alert messages

To add or edit counter alerts

  1. To add a new counter alert, navigate to Alerts > Counters and click AddNew.
    To edit an existing counter alert, click Edit on the Alerts > Counters tab.

  2. Modify the following parameter fields:

    Parameter

    Description

    System Counter Name

    Displays a list of threads and system counters available for alerting

    Select a thread or system counter to continuously monitor it's threshold.

    Pin This Alert To Top

    Displays a list of alerts (only on the Edit screen) to pin to the top of the list

    You can use this parameter to keep track of alerts that are of interest. Each user can pin items without affecting other users.

    Compare Function

    Compare function to use in the threshold test

    You can specify either greater than or equal to or less than or equal to, depending on the nature of the alert.

    Threshold

    Threshold of counts for the comparison

    Specify a number of counts per interval in the following range (where the interval is specified):

    This value works with the Auto-Learn function. To get a suggestion of thresholds that is based on the message history, click View Counter Threshold Hints.

    Test Interval

    Interval for the test, in seconds

    When the counter exceeds the threshold counts per time interval, an alert is generated.

    Example

    If the compare function is GE, the threshold is 10 and the test interval is 60, then an alert is generated when more than 10 messages are issued per minute.

    Important

    If the test interval is set to 0 seconds, then the interval is no longer applicable and the counter alert state on the Alerts > Counters tab remains green irrespective of the number of times the alert is generated. Also, the Now: Counts Per Interval field always displays N/A.

    Match Alert Time

    (Optional) Restricts the generating of alerts to a specified time range (for example, working hours or a second shift)

    By default, the match time matches all times of the day

    You can configure more advanced schedules on the Alerts > Config > Alerts Schedule tab. For more information, see Setting-scheduled-alerts.

    Alert Message / Ticket Text

    Message that is sent back to the BMC Defender Server message stream, and which also serves as the text of the ticket (if assigned to a user)

    The field includes a Suggest option that suggests an appropriate message based on the system counter name, severity, compare function, and test interval.

    Insert Alert Variable

    Incorporates various types of information in the alert message, such as the source IP address, related message content, and device description

    Enable Auto-Learning

    Enables auto-learning, which automatically adjusts alert thresholds up or down based on message history

    For more information, see Auto-Learn-function.

    Alert Facility

    Syslog facility to use when sending a message back to the message stream

    The default value is Alert.

    Alert Severity

    Syslog severity to be used when sending a message back to the message stream and also identifies the severity of tickets assigned to users

    The value should indicate the severity of the alert condition, ranging from debug to emergency.

    Assign Ticket To User

    Opens a ticket on the system containing the alert message and assigns it to either the specified user or arbitrary ticket users defined in the Tickets > Config area of the program

    When you open a ticket, it can trigger specific actions, such as sending an email. For information about ticket groups, see Ticket-group-wizard.

    Send Clear Severity

    Sends a message confirming when an alert condition clears

    We recommend setting this value to disabled except in very specialized applications.

    Warning

    Set this parameter carefully to avoid causing the alert to be immediately set again, causing a program loop.

    Alert Expiration Time

    Expiration time for the alert

    An alert remains in its state as long as it meets its criteria. If the alert expiration time is set, the alert resets itself to a clear state after the specified time. You can retrigger a cleared alert when it meets its alert criteria, which allows the alert to trigger multiple times and can create additional tickets if the conditions persist.

  3. Click Save.

Related topics

Alerts-tab

Out-of-the-box-counter-alerts

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*