Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Editing alert auto-learn function parameters

The alert Auto Learn tab displays parameters associated with the BMC Defender Server auto-learn function.

The auto-learn function automatically adjusts alert thresholds, and closes tickets based on the system activity. By default, the auto-learn function runs every night, makes adjustments, and optionally closes any tickets in which the source alert definition was modified by the process.

The auto-learn function greatly simplifies the setup and tuning of the system. It is especially useful for unattended types of installations because the operator can simply install the product and permit it to adjust itself based on the types of messages that the program receives.

(SPE2204) The auto-learn function also generates catalog statistics. For more information, see Viewing-catalog-statistics.

To edit alert auto-learn function parameters

  1. Navigate to Alerts > Config > Auto Learn.
  2. Click Edit, modify the parameter, and then click Commit. The following parameters are supported:

Parameter

Description

Schedule Auto-Learning

Controls when the auto-learn function should run

Valid values are as follows:

  • Daily—(Default) Schedules the auto-learn function to run every day, shortly after midnight
  • Disabled—Disables the auto-learn function

Suppress Auto-Learning Until

Controls when auto-learning should stop

Because the auto-learn function scans messages in each catalogs to determine the appropriate thresholds, it functions optimally when operating on large numbers of records. You can adjust the number of messages required before any auto-learning adjustments occur for a particular catalog.

Stop Auto-Learning After

Specifies the number of days after which auto-learning should stop

Enter an integer from 1 through 99999. The default value is 10.

You can set this value higher than the Keep Data value. Setting a value of 99999 means that the nightly auto-learn process effectively never stops.

Adjust Alert Thresholds

Controls how alert thresholds are adjusted: Up, Down, or Up and down. By default, alert thresholds are either increased (loosened) or decreased (tightened), depending on the number of messages received by a catalog.

Adjust Alert Intervals

Specifies whether you can either increase or decrease the alert intervals, enabling you to better handle the alert threshold when it reaches the maximum or minimum values

Adjust To Reduce Open Tickets

Controls whether the auto-learn function adjusts the alert thresholds to reduce open tickets. You can adjust thresholds based on the number of messages received. Also, if more than five tickets are opened on the system, the auto-learn function increments the alert threshold to reduce the open ticket count.

Auto-Close Tickets On Auto-Learned Change

Controls whether the system should automatically close tickets associated with alert thresholds when these alerts are adjusted

This parameter is useful for cleaning out tickets that might no longer be valid because the alert threshold has been adjusted. For more information about  BMC Defender Server, see BMC-Defender-Server-tickets.

Auto-Learn Notify Severity

Determines the severity of alerts generated by the auto-learn process

When the auto-learn process adjusts thresholds or closes tickets, the process sends an alert to BMC Defender Server, which appears on the Messages tab, indicating this action.

Auto-learn execution log

You can view the execution log of the last auto-learn process by selecting the More > Process Logs. This displays the names of the system logs of the BMC Defender Server. The auto-learn execution log is listed as CO-learn.log. The CO-learn.log contains a transcript of the auto-learn process since the last scheduled run, with the following information:

  • (SPE2204) The results of catalog statistics generation, including the number of messages processed for each catalog
  • Status of all alerts
  • Whether thresholds have been adjusted
  • Any tickets that have been automatically closed

When the auto-learn function closes a ticket, the Resolution field for that ticket automatically displays the reason for the closure, the previous alert threshold, and the current alert threshold. This provides an easy indication of whether the auto-learn function has changed any alert thresholds.

You can use the auto-learn execution log to determine whether the auto-learn function was bypassed.

To enable the auto-learn function, the following conditions must exist. These conditions are reflected in the auto-learn execution log.

  • The number of records in the message catalog associated with the alert must be greater than the specified Suppress auto-learning Until parameter value. If the number of records is less than that value, auto-learning is bypassed for the alert.
  • The number of days' worth of data in the message catalog associated with the alert must be less than the Stop auto-learning Value parameter value. the number of days' worth of data is more than that value, auto-learning is bypassed for the alert.
  • Auto-learning must be enabled for the alert (configured in the Alert Edit screen for the particular alert). This is the default condition when a new alert is added to the system.
  • The alert threshold must be greater than 1. (Auto-learning never occurs if the threshold is exactly 1, because this value indicates that the alert is looking for a singular occurrence of a particular message.)


Related topics

Alerts-tab

Auto-Learn-function

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*