Rules are defined using a logical language.
The GUI provides a simple way of creating rules.
Creating more complicated rules which may include maths calculations and MySQL queries can be done using macros
Rules must consist of at least 3 elements: An Entity, a Condition and a Value. Rules can contain braces and Glues. Entities are provided from Table and Field from the database. For Example:
Conditions can be any of:
- Not Equals
- Not In
- Begins with
- Doesn't begin with
NOT LIKE ('...%')
- Doesn't Contain
NOT LIKE ('%...%')
- Ends with
- Doesn't end with
NOT LIKE ('%...')
- Not Between
- Is Empty
- Is Not Empty
- Is Null
- Is Not Null
IS NOT NULL
- Greater or Equal
- Less or Equal
Values can be an entity or any data. If using macros as value you must include the macro name into backticks. i.e. `macros.past_60m`
Note: Regex supports MySQL Regular expressions.
Arithmetics are allowed as well.
Here are some of the other options available when adding an alerting rule:
- Rule name: The name associated with the rule.
- Severity: How "important" the rule is.
- Max alerts: The maximum number of alerts sent for the event.
- Delay: The amount of time in seconds to wait after a rule is matched before sending an alert out transport.
- Interval: The interval of time in seconds between alerts for an event until Max alert is reached.
- Mute alerts: Disables sending alert rule through alert transport. But will still show the alert in the Web UI.
- Invert match: Invert the matching rule (ie. alert on items that _don't match the rule).
- Recovery alerts: This will disable the recovery notification from being sent if turned off.
On the Advanced tab, you can specify some additional options for the alert rule:
- Override SQL: Enable this if you using a custom query
Query: The query to be used for the alert.
An example of this would be an average rule for all CPUs over 10%
SELECT *,AVG(processors.processor_usage) as cpu_avg FROM devices,processors WHERE (devices.device_id = ? AND devices.device_id = processors.device_id) AND (devices.status = 1 && (devices.disabled = 0 && devices.ignore = 0)) = 1 HAVING AVG(processors.processor_usage) > 10
The 10 would then contain the average CPU usage value, you can change this value to be whatever you like.
- You will to need copy and paste this into the Alert Rule under Advanced then paste into Query box and switch the Override SQL.
You can associate a rule to a procedure by giving the URL of the procedure when creating the rule. Only links like "http://" are supported, otherwise an error will be returned. Once configured, procedure can be opened from the Alert widget through the "Open" button, which can be shown/hidden from the widget configuration box.
- Device goes down:
devices.status != 1
- Any port changes:
ports.ifOperStatus != 'up'
- Root-directory gets too full:
storage.storage_descr = '/' AND storage.storage_perc >= '75'
- Any storage gets fuller than the 'warning':
storage.storage_perc >= storage_perc_warn
- If device is a server and the used storage is above the warning level, but ignore /boot partitions:
storage.storage_perc > storage.storage_perc_warn AND devices.type = "server" AND storage.storage_descr != "/boot"
- VMware LAG is not using "Source ip address hash" load balancing:
devices.os = "vmware" AND ports.ifType = "ieee8023adLag" AND ports.ifDescr REGEXP "Link Aggregation .*, load balancing algorithm: Source ip address hash"
- Syslog, authentication failure during the last 5m:
syslog.timestamp >= macros.past_5m AND syslog.msg REGEXP ".*authentication failure.*"
- High memory usage:
macros.device_up = 1 AND mempools.mempool_perc >= 90 AND mempools.mempool_descr REGEXP "Virtual.*"
- High CPU usage(per core usage, not overall):
macros.device_up = 1 AND processors.processor_usage >= 90
- High port usage, where description is not client & ifType is not softwareLoopback:
macros.port_usage_perc >= 80 AND port.port_descr_type != "client" AND ports.ifType != "softwareLoopback"
- Alert when mac address is located on your network
ipv4_mac.mac_address = "2c233a756912"
Alert Rules Collection
You can also select Alert Rule from the Alerts Collection. These Alert Rules are submitted by users in the community :) If would like to submit your alert rules to the collection, please submit them here Alert Rules Collection