Setting pattern alerts

The Patterns tab monitors the state of triggers (defined in the previous screen) to detect when certain combinations of messages have been received during a specified duration of time.

The Patterns tab is one of various different ways to open Tickets on the screen and feedback data into the event log. (Other methods include the Alerts Counters, Alerts Devices, and Alerts Custom facilities, explained elsewhere.) Unlike the other Alerts tab that is used to determine when certain message rates are exceeded, the Patterns tab detects when certain combinations of states exist, such as multiple invalid logins followed by a successful login within 10 minutes. The functions provided by this screen are subtle, distinctive, and are the central feature of the BMC Defender Server correlation facility, discussed in detail in Correlating-messages-into-groups-and-patterns.

Related topic

Alerts-tab

To add a new pattern alert or edit an existing alert

  1. Navigate to Alerts > Patterns.
  2. Click AddNew or Edit, to create or modify the alert parameters described in the following table.

Parameter

Description

Trigger #1 State

This drop-down menu allows you to specify the name of a trigger defined in the Correlation > Triggers screen. The operator can specify both the trigger name and the trigger state that must be satisfied to set the pattern. This first trigger name and state is required.

Trigger #2 State

This drop-down menu allows you to specify an optional second trigger name and state.

Trigger #3 State

This drop-down menu allows you to specify an optional third trigger name and state.

Pattern Context

This drop-down menu allows the operator to specify the context for the pattern, either All Messages, or Same Device. If the context is Same Device, a new pattern instance is created for each device that has set a trigger, thereby tracking activity on a single device. (See Pattern Active Instances).

Alert Message / Ticket Text

This is the message that is sent back to the BMC Defender Server message stream when the pattern is set. The message also serves as the text of the ticket (if assigned to a user). The field includes a Suggest option that suggests an appropriate message based upon the specified trigger values.

Insert Alert Variable

This input allows you to insert a variable into the Alert Message. You can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description.

Alert Facility

This is the syslog facility to be used when sending a message back to the message stream. The default value is Alert.

Alert Severity

This is the syslog severity to be used when sending a message back to the message stream and also identifies the severity of any ticket assigned to a user (as described). The value should indicate the severity of the pattern detection.

Assign Ticket To User

This input causes a ticket to be opened on the system containing the Alert Message, assigned to the specified user. In addition to assigning a ticket to any BMC Defender Server user, the operator can assign tickets to arbitrary Ticket Users, defined in the Tickets > Config area of the program. Auto-Learn Parameters Screen.

Alert Status

(SPE2410)

Determines whether the alert is enabled. This field is displayed only when you edit an alert.

The default value is Enabled. To disable the product from generating an alert, select Disabled.

When an alert is disabled, the following text is displayed in red under the alert message:

Note: Alert Status = Disabled.

Pattern active instances

Patterns have two different contexts, selected on the Edit screen. A context of All Messages indicates that any message (that sets a trigger) from any device can update the pattern. A context of Same Device indicates that new patterns are created for each device, so that multiple patterns can be active at the same time, tracking the different device states.

For Same Device patterns, each pattern has multiple separate instances that are dynamically created when a message is received. These active instances persist until the alert is cleared, and then disappear. The Active Instances link, in the third column of the top-level screen table, allows the operator to drill down and view the currently active pattern instances.

When a message is first received that matches the pattern, a copy of the pattern is automatically created, and identified by the sending IP address. Subsequently, as more messages are received from the device, the pattern is maintained for the device.

If the pattern is satisfied, the alert is set that causes a ticket to be opened on the system. No further tickets are created while the pattern alert is set. When the alert is cleared; it is then eliminated from the system (permitting the process to start over again).

The Alerts Pattern screen is one of several locations that spawn instances needed to track individual devices. Other program locations include the Correlation Triggers screen and the Alert Devices screen. Each of these screens operate in a similar fashion, where the top-level screen reflects the overall rolled-up status, and you can drill down through the Active Instances hyperlink to see the various separate instances.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*