Setting device alerts
The main benefit of using the Device Alert function is that each managed device, within a specified class of devices (or all users on the system), is individually tracked using one single alert threshold and match pattern. This provides a fairly obvious indication of what devices are being tracked at any given time, and how near each device is to the specified threshold.
To add a new device alert or edit an existing alert
(SPE2210) You can add up to 50 device alerts.
(Before SPE2210) You can add up to 25 device alerts.
- Navigate to Alerts > Devices.
- Click AddNew or Edit, to create or modify the alert parameters described in the following table.
Parameter | Description |
|---|---|
Pin This Alert To Top | Pins the alert to the top of the list You can keep track of particular device alerts of interest. Each operator can pin items without affecting other operators. |
Match IP Addr / Group | IP address wildcard or address group to which the device alert applies A message received from the specified address group (and that matches the Match Expression) causes a device alert instance to be created or updated. |
Match Expression | Keyword (possibly complex) that matches the message that creates or updates the device alert Any message received from the device group that matches this value and also this value causes a user alert instance to be created or updated. This is the (possibly complex) keyword that matches the message, that creates or updates the device alert. Any message received from the Device Group that matches this value, causes an Device Alert to be created or updated. |
Compare Function | Compare function to be used in the threshold test You can only specify (GE) Greater Than Or Equal. |
Threshold | Threshold for the comparison, an integer value (SPE2201) The threshold must be in the range of 1 to 200 counts per interval (before SPE2201 the range of 1 to 50), where the interval is specified. |
Test Interval | Interval for the test, in seconds When the counter exceeds the threshold counts per time interval, an alert is generated. |
Alert Message / Ticket Text | Message that is sent back to the BMC Defender Server message stream, and that also serves as the text of the ticket (if assigned to an operator or ticket group) The field includes a Suggest option that suggests an appropriate message based upon the system counter name, severity, compare function, and test interval. |
Insert Variable | Variable to insert into the alert message You can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description. |
Alert Facility | Syslog facility to be used when sending a message back to the message stream The default value is Alert, but you can specify some other facility appropriate for the alert. |
Alert Severity | Syslog severity to be used when sending a message back to the message stream; identifies the severity of any ticket assigned to a user The value should indicate the severity of the alert condition, ranging from debug to emergency. |
Assign Ticket To User | User or ticket group to assign a ticket on the system containing the alert message In addition to assigning a ticket to any BMC Defender Server user, you can assign tickets to ticket users defined in the Tickets > Config tab. When a ticket is opened, it can trigger specific actions, such as sending an email message. |
Device Alert active instances
Each device alert can have multiple separate instances that are dynamically created when a message is received. These active instances persist until the alert is cleared, and then disappear. The Active Instances link lets you to drill down and view the currently active user instances.
When a message is first received that matches the alert pattern, a copy of the alert is automatically created and identified by the managed user name. Subsequently, as more messages are received for the user, the count-per-time interval is maintained.
If the count exceeds the threshold, the alert is set that causes a ticket to be opened on the system. No further tickets are created while that particular alert instance is set. When the alert is cleared, it is then eliminated from the system (permitting the process to start over again).
A common application of the device alert is to track the number of invalid logons to devices on a per device basis. Other applications also exist, such as tracking the number of error messages for each device.