Setting custom alerts
The Custom Alert tab extends the range of the alerting facility to include execution of arbitrary alerting programs. These external programs are launched at schedule intervals. The output of the alerting program is read by BMC Defender Server, compared to a user defined match expression, and a threshold applied to the number of matches can open a ticket. The screen is depicted in the following image.
Custom alerts reference programs (typically batch files) residing in the c-alerts directory of the BMC Defender Server system. Specific notes on these batch files and their operation can be found in that location. For assistance on Custom alerts, consult with BMC Defender Server Support. Typical applications of Custom alerts include database queries, parsing of external log file information, and integration with third-party software.
Custom alert types
When configuring a Custom Alert, you can specify a type through a drop down menu on the AddNew or Wizard screen. Two types of custom alerts exist, as follows:
- User Program Type—The default type of custom alert is the User Program alert. In this case, the alert is based on a user program, script, or batch file residing in the c-alerts folder of the server. The custom alert is executed at periodic intervals (such as once every five minutes). The alert program simply outputs (to standard out) some content, and the custom alert matches some pattern in that content, opening a ticket if more than the expected number of matches exist.
- Parse Value Type—This special type of custom alert is simply an extension of the User Program type described. The alert executes the CALERT_PARSE.exe program, that parses the output of a thread for a specific field, and the custom alert opens a ticket if any occurrence count for a parsed item exceeds a threshold. When this type of alert is selected, you interface changes to permit a thread and parse specification to be specified. (This simplifies the setup and operation of this type of alert.)
More detailed information on each of the Custom Alert types is furnished in the next section.
To create or edit a user program type alert
The default type of custom alert is based on the output of an external program residing in the c-alerts folder. This program can be a batch file, or .exe program. (The batch file can shell-out to some other scripting language, such as python, PHP, or other scripting language on the server.)
When you specify a Custom Alert Type of User Program, the AddNew and Wizard screens require the following user input:
Parameter | Description |
|---|---|
Custom Alert Title | This is an arbitrary short title that identifies the purpose and intent of the custom alert, such as what the alert monitors. |
Custom Alert Program Name | This is the name of a batch file or .exe program residing in the c-alerts folder of the server. The program is arbitrary, and outputs information to standard output. (The custom alert facility compares the output to a match pattern and threshold as described further.) |
Program Arguments | This input is a series of optional arguments passed to the custom alert program name specified. The actual arguments depend on the nature and function of the custom alert program that you use. |
Program Output Match Expression | This is a server complex expression that you used to check the output of your program's execution. |
Threshold | This is a numeric threshold that sets the alert when the number of matches (specified) of your program's standard output is met or exceeded. |
Program Execute Interval | This is the number of seconds to pause between executions of the custom alert program specified, for instance, 300 seconds between executions (five minutes). The program is executed at close to the rate specified here. |
Other Ticket Parameters | In addition to the mentioned specific inputs, the standard alerting parameters of Alert Message, Facility, Severity, and Assignee are provided. These values (including the Suggest and Insert Variable functions) are the same as found on the other alerting screens. |
To create or edit a parse alert value type alert
The operator can select Parse Value Alert for the type of Custom Alert when configuring the alert on the AddNew or Wizard screen, and this changes the general mode of operation. The Parse Alert Value type is just a special custom alert program that executes the Analyze function for a parse expression (using a specified thread as a data source). If any occurrence count for the parse values exceeds the threshold, a ticket is opened.
When you specify a Custom Alert Type of Parse Value Alert, the AddNew and Wizard screens require the following user input:
Parameter | Description |
|---|---|
Custom Alert Title | This is an arbitrary short title that identifies the purpose and intent of the custom alert, such as what the alert monitors. |
Selected Correlation Thread | This is a drop-down list of threads currently configured on the system, that the Parse Specification is executed upon. |
Parse Specification | This is a standard server Parse Expression, that might be a numeric field, a field such as myfield: * or a parse function beginning with a ($) dollar character. The value should not rely on double quotes or other special characters. |
Threshold | This is a numeric threshold that sets the alert when the maximum number of occurrences of the parse spec (as specified) is exceeded during an execution cycle specified. |
Parse Execute Interval | This is the number of seconds to pause between executions of the parse function specified, for instance 300 seconds between executions (five minutes). The parse function executes its function at the rate specified here. |
Other Ticket Parameters | In addition to the above specific inputs, the standard alerting parameters of Alert Message, Facility, Severity, and Assignee are provided. These values (including the Suggest and Insert Variable functions) are the same as found on the other alerting screens. |
This Parse Value Alert function can be conceptualized as executing the Analyze function for a thread, using the Parse Spec mode, and then looking at the maximum number of occurrences for the parsed value results. If the maximum occurrence count exceeds the threshold, this sets the alert and opens a ticket.
Notes on Custom Alerts
Custom Alerts, described in this section, are slightly arcane, but are very powerful in extending the role of the server to perform specialized alerting based upon complex criteria. More information on usage might be available from the vendor, including crafting of common custom alert programs.
Related topic