Skip to Content


Alert configuration policies

In practice, you can set the threshold for the Alert by:

  • Entering a numeric value of 3 counts per 60 seconds to get started with, or
  • By drilling down to view the Threshold Hints for the alert counter and interval, based on any data that has been previously collected.

This greatly simplifies the otherwise potentially difficult task of setting these thresholds. If the alert is triggered more than desired, the interval can be expanded, and the threshold can be increased to reduce the number of alerts.

The alert thresholds are related to the severities quite simply. If someone adjusts a threshold upward and makes the alert less likely to occur, the severity of the alert should probably be increased. Likewise, if the test interval is increased, this causes the alert to be averaged over more time, decreasing the likelihood of the alert occurring. Therefore, if you increase the test interval for an alert, you should also consider decreasing the alert severity.

Alerts are great candidates for the User Defined Facility function of BMC Defender Server as previously discussed. Since you have complete control over the textual content of the alert, you can easily set up keywords that cause the syslog message to appear in the Messages with a particular user defined severity. This makes it easy to identify the syslog messages generated by alerts and also makes the further correlation of these messages easier. For instance, you can incorporate the keyword MS-Exchange in the alert message. You can then create a facility override (as discussed previously) that sets this message with an MS-Exchange facility code.

As is the case with threads, there can be a multiplicity of alerts. If an alert is seldom used, it is harmless and quickly drops to the bottom of the list. Not every thread requires an alert. (Some Threads exist strictly for information and do not need special alerting.) Likewise, a thread can have multiple alerts at different thresholds. You can audit the full list of alerts by the Audit hyperlink at the bottom of the display.

Related topic

Using-correlation-alerts

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 5.9