Setting custom alerts

The Alerts > Custom tab extends the range of the alerting facility to include the execution of arbitrary alerting programs. These external programs are launched at scheduled intervals. The output of the alerting program is read by BMC Defender Server , compared to a user-defined match expression, and a threshold applied to the number of matches can open a ticket.

User program alert

The default type of custom alert is the User Program alert. In this case, the alert is based on a user program, script, or batch file residing in the c-alerts folder of the server. The custom alert is executed at periodic intervals (such as once every five minutes). The alert program simply outputs (to standard out) some content, and the custom alert matches some pattern in that content, opening a ticket if more than the expected number of matches exist.

The default type of custom alert is based on the output of an external program residing in the c-alerts folder. This program can be a batch file, or .exe program. (The batch file can shell-out to some other scripting language, such as python, PHP, or other scripting language on the server.)

Example

Consider a custom alert that is intended to periodically check a website periodically to see if it has changed. In this case, the custom alert program might be an implementation of the wget.exe or curl.exe program, the program argument might be a URL. The custom alert program downloads the URL, checks the content of the page for certain keywords, and outputs Fail if the keywords do not match. Then, the Custom Alert facility executes this program every five minutes and raises an alert if Fail occurs one or more times in the program's output.

Parse value alert

This special type of custom alert is simply an extension of the User Program type described. The alert executes the CALERT_PARSE.exe program, that parses the output of a thread for a specific field, and the custom alert opens a ticket if any occurrence count for a parsed item exceeds a threshold. When this type of alert is selected, you interface changes to permit a thread and parse specification to be specified. (This simplifies the setup and operation of this type of alert.)

The operator can select Parse Value Alert for the type of Custom Alert when configuring the alert on the AddNew or Wizard screen, and this changes the general mode of operation. The Parse Alert Value type is just a special custom alert program that executes the Analyze function for a parse expression (using a specified thread as a data source). If any occurrence count for the parse values exceeds the threshold, a ticket is opened.

When you specify a Custom Alert Type of Parse Value Alert, the AddNew and Wizard screens require the following user input:

This Parse Value Alert function can be conceptualized as executing the Analyze function for a thread, using the Parse Spec mode, and then looking at the maximum number of occurrences for the parsed value results. If the maximum occurrence count exceeds the threshold, this sets the alert and opens a ticket.

Example

A typical application would be to raise an alert if more than 20 occurrences of a status value, specified by Error: * occur within one minute. In that specific case, the operator would select a thread to operate on (that would collect all error indications) and then set a parse specification of error: *, a threshold of 20, and an execute interval of 60 seconds.

You can see a table with the following information on the Alerts > Custom tab:

Column name	Description
Edit	Shows an edit button with a serial number for the custom alert For more information, see To edit a custom alert.
State	Displays the state of the custom alert Green square indicates that the alert condition is within the threshold limit and red square indicates that the threshold has exceeded
Custom Alert Title	Name of the custom alert
Threshold	Threshold that you define when setting a custom alert
Alert Severity & Message	Displays the alert severity and the message that you define in the Alert Message / Ticket Text field when setting a custom alert

Audit Full Custom Alert Data

To create a custom alert

Navigate to the Alerts > Custom tab.
- To validate your custom alert settings only at the end, click AddNew.
- To validate your custom alert settings at each step, click Wizard.

Modify the following fields (if you selected Wizard in the previous step, click Next after selecting the required settings):

Field	Description
Custom Alert Title	Name of the custom alert to identify its purpose, such as what the alert monitors Enter a unique alphanumeric name that has a length not more than 30 characters.
Custom Alert Type	Type of custom alert Select User Program or Parse Value Alert.
Custom Alert Program Name (Only for user program alert)	Name of the batch file or executable program that resides in the c-alerts folder of your computer The program is arbitrary, and outputs information to standard output. (The custom alert facility compares the output to a match pattern and threshold as described further.)
Program Arguments (Only for user program alert)	(Optional) This input is a series of optional arguments passed to the custom alert program name specified. The actual arguments depend on the nature and function of the custom alert program that you use.
Program Output Match Expression (Only for user program alert)	This is a server complex expression that you used to check the output of your program's execution. For more information about entering a match expression, click the Expression Help hyperlink.
Selected Correlation Thread (Only for parse value alert)	This is a drop-down list of threads currently configured on the system, that the Parse Specification is executed upon.
Parse Specification (Only for parse value alert)	This is a standard server Parse Expression, that might be a numeric field, a field such as myfield: * or a parse function beginning with a ($) dollar character. The value should not rely on double quotes or other special characters.
Unique Parsed Value Alerts (SPE2410)	Determines whether BMC Defender Server must create a ticket and send an alert for every unique parsed value that matches the alerting condition To create a ticket for every unique parsed value that matches the alerting condition, select True. Example You have a custom alert that triggers when three password-invalid messages are received and Unique Parsed Value Alerts is set to True. When BMC Defender Server receives three password-invalid messages from three different users, BMC Defender Server triggers three separate alerts and creates three tickets. To create only one ticket per alert, select False. Example You have a custom alert that triggers when three password-invalid messages are received and Unique Parsed Value Alerts is set to False. When BMC Defender Server receives three password-invalid messages from three different users, BMC Defender Server triggers one alert and creates only one ticket by using the first password-invalid message received.
Compare Function	Condition that compares the Program Output Match Expression with the Threshold
Threshold	Numeric threshold that generates the specified alert when the number of matches (specified) of your program's standard output is met or exceeded.
Program Execute Interval Execute Interval (if you select Wizard) (Only for user program alert)	Periodic interval at which the specified custom alert program repeats its execution This field takes any value from 10 to 3600 seconds. The default value is 300 seconds.
Parse Execute Interval Execute Interval (if you select Wizard) (Only for parse value alert)	Periodic interval that the specified parse function repeats its execution This field takes any value from 10 to 3600 seconds. The default value is 300 seconds.
Alert Message / Ticket Text	Text to display when the product generates an alert and creates a ticket Click Suggest for an autogenerated alert message.
Insert Alert Variable	Adds an alert variable to the Alert Message / Ticket Text box To insert an alert variable, select the alert variable from the list and click Insert.
Alert Facility	Syslog facility to use when sending a message back to the message stream The default value is Alert.
Alert Severity	Syslog severity to be used when sending a message back to the message stream and also identifies the severity of tickets assigned to users The value should indicate the severity of the alert condition, ranging from debug to emergency.
Assign Ticket To User	Opens a ticket on the system containing the alert message and assigns it to either the specified user or arbitrary ticket users defined in the Tickets > Config area of the program When you open a ticket, it can trigger specific actions, such as sending an email. For information about ticket groups, see Ticket-group-wizard.
When Condition Is Cleared Send Clear Severity	Sends a message confirming when an alert condition clears We recommend setting this value to disabled except in very specialized applications. Warning Set this parameter carefully to avoid causing the alert to be immediately set again, causing a program loop.
Alert Status (SPE2410)	Determines whether the alert is enabled. This field is displayed only when you edit an alert. The default value is Enabled. To disable the product from generating an alert, select Disabled. When an alert is disabled, the following text is displayed in red under the alert message: Note: Alert Status = Disabled.

Click SaveNew.

To edit a custom alert

Navigate to the Alerts > Custom tab.
In the Edit column, click the numbered button on the row that has the alert that you want to edit.
Modify the required fields and click Save .
To create a new alert with the modified settings, click SaveNew .

To delete a custom alert

Navigate to the Alerts > Custom tab.
In the Edit column, click the numbered button on the row that has the alert that you want to delete.
Click Delete . On the subsequent tab, click Delete again to confirm your action.