BMC Defender Thread Custom Email plug-in

This section provides a detailed description of the Thread Custom E-Mail Action adapter (referred to herein by the simpler Thread E-Mail Adapter software). This is an optional set of files and executables added to the BMC Defender Server in order to support sending of e-mails whenever a thread logs a message. 

The standard method of configuring e-mail notifications is to use the Ticket Action function of the system that can be configured to send an e-mail message (and related messages) whenever one of the server alerting functions generates a ticket.

Thread E-Mail Adapter discussed here provides a completely alternate method of sending notifications that does not rely on alerts or tickets. This might offer some advantages (and disadvantages) to the regular server e-mail interface, as explained in detail in this space.

This space provides information on specific features and capabilities of this special software, including installation procedures, operating theory, application notes, and certain features not documented elsewhere.

This space is for BMC Defender users who operate the system, as well as system administrators responsible for installing the software components. This information should also be of interest to program developers and administrators who want to extend the range of the BMC Defender system's role in an enterprise to include a collection of arbitrary files.

BMC Defender Server threads are used as building blocks for alerts and reports—these threads (configured in the Correlation > Threads tab of the system) index incoming message data, organizing this data as messages are received, based on match patterns applied to incoming messages.

The counts of these threads can be alerted by the Alerts > Counters tab of the system that permits an alert to generate if the thread count exceeds some value during a time interval (such as three invalid logons in 60 seconds). The Alerts open tickets on the system (viewable by the Tickets > Opened tab). These tickets can run actions, such as sending e-mail (configurable by the Ticket > Actions screen).

This method of decoupling threads, alerts, and tickets affords many benefits—in particular, the BMC Defender Server ticket system prevents excessive e-mails and generation of e-mails when an alert condition already exists. The method, described previously, also furnishes an aggregate approach to alerting, where the alert is an abstraction that indicates a particular class of high-level error (such as a Common Threat indication).

The Thread E-Mail adapter takes a different and simpler approach to sending an e-mail—the adapter adds a new feature to the Thread > Edit screen that permits the operator to configure detailed message formats that get generated whenever a message is logged and recorded by a thread. This means that the e-mail recipient sees clear and detailed information when a certain class of message is received. The major disadvantage is that this can generate large amounts of e-mails that can be burdensome to both the program and the operator.

Caveats

The Thread E-Mail adapter has the potential for sending large amounts of e-mail. Specific controls, outlined in Using-BMC-Defender-Thread-Custom-Email-plug-in, can limit the e-mail rates, but this implies that certain messages logged to a thread might not be sent (because the rate is limited).

The following simple rule applies to this adapter—You should configure e-mail notifications only for special threads that receive messages at a low rate. Such as, if a thread is being updated with hundreds of messages per second, the facility sends e-mail only as the Hold-Off and Messages Per Hour settings permit. (These controls are discussed in Using-BMC-Defender-Thread-Custom-Email-plug-in.) In contrast, if a thread receives a message only once every few hours, or a thread contains only anomalous messages, this would be an appropriate correlation thread for that to configure e-mail notifications. 

Correlation threads serve multiple purposes within the server and are used by reports, alerts, and dashboards. Not all threads are good candidates for sending e-mail notifications. Hence, you should only enable e-mail notifications for a few specific threads that record anomalous or occasional messages.

Usage of this adapter requires a good understanding of BMC Defender Server basics and a good understanding of parse specifications. Detailed notes regarding parse specifications are found at the server as online help and also in the s-doc\CO-PARSE.pdf file.

This section provides information about the following topics: