Rules are defined using a logical language. The GUI provides a simple way of creating basic rules. Creating more complicated rules which may include maths calculations and MySQL queries can be done using macros
Rules must consist of at least 3 elements: An Entity, a Condition and a Value.
Rules can contain braces and Glues.
Entities are provided from Table and Field from the database. For Example:
Please note that % is not required when adding alert rules via the WebUI.
Conditions can be any of:
- Not Equals
- Not Like
- Greater or Equal
- Smaller or Equal
Values can be an entity or any single-quoted data.
Glues can be either
Note: The difference between
Like (and its negation) is that
Equals does a strict comparison and
Like allows the usage of MySQL RegExp.
Arithmetics are allowed as well.
Here are some of the other options available when adding an alerting rule:
- Rule name: The name associated with the rule.
- Severity: How "important" the rule is.
- Max alerts: The maximum number of alerts sent for the event.
- Delay: The amount of time in seconds to wait after a rule is matched before sending an alert.
- Interval: The interval of time in seconds between alerts for an event until Max is reached.
- Mute alerts: Disable sending alerts for this rule.
- Invert match: Invert the matching rule (ie. alert on items that don't match the rule).
- Device goes down:
%devices.status != '1'
- Any port changes:
%ports.ifOperStatus != 'up'
- Root-directory gets too full:
%storage.storage_descr = '/' && %storage.storage_perc >= '75'
- Any storage gets fuller than the 'warning':
%storage.storage_perc >= %storage_perc_warn
- If device is a server and the used storage is above the warning level, but ignore /boot partitions:
%storage.storage_perc > %storage.storage_perc_warn && %devices.type = "server" && %storage.storage_descr !~ "/boot"
- VMware LAG is not using "Source ip address hash" load balancing:
%devices.os = "vmware" && %ports.ifType = "ieee8023adLag" && %ports.ifDescr !~ "Link Aggregation @, load balancing algorithm: Source ip address hash"
- Syslog, authentication failure during the last 5m:
%syslog.timestamp >= %macros.past_5m && %syslog.msg ~ "@authentication failure@"
- High memory usage:
%macros.device_up = "1" && %mempools.mempool_perc >= "90" && %mempools.mempool_descr = "Virtual@"
- High CPU usage(per core usage, not overall):
%macros.device_up = "1" && %processors.processor_usage >= "90"
- High port usage, where description is not client & ifType is not softwareLoopback:
%macros.port_usage_perc >= "80" && %port.port_descr_type != "client" && %ports.ifType != "softwareLoopback"
You can associate a rule to a procedure by giving the URL of the procedure when creating the rule. Only links like "http://" are supported, otherwise an error will be returned. Once configured, procedure can be opened from the Alert widget through the "Open" button, which can be shown/hidden from the widget configuration box.
You can test your transports by forcing an actual active alert to run regardless of the interval or delay values.
./scripts/test-alert.php. This script accepts -r for the rule id, -h for the device id or hostname and -d for debug.