notempty
Function, Setup and Configuration of the Alerting Center
Last adaptation to the version: 11.8.8
- New:
- The design of the regular report has been revised in 11.8.8
- New triggers for notifications through Threat Intelligence Filter in 11.8.7
Introduction
The Alerting Center automatically sends e-mails with log events. This sets up monitoring of log events and simplifies monitoring. Error messages can be forwarded to the admin before a malfunction occurs or a malfunction can be detected more quickly.
The Alerting Center is always active by default as soon as a valid e-mail address has been entered and the mail relay has been configured correctly.
The Alerting Center sends notifications by e-mail to the global e-mail address.
There are
- Immediate reports that are sent immediately when an event occurs, and
- Regular reports that are sent in a fixed period of time.
Priority groups can be assigned to different events
Requirements
For the Alerting Center to be able to send messages, the Mailrelay must be configured.
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu .
Configuration
Menu Item
General
| Caption | Default | Description | |
|---|---|---|---|
| Status | ⬤ | should be green, otherwise please check the Mailrelay. |  |
| E-mail address: | admin@ttt-point.de | here must be a valid mail address. This is displayed in the menu →global email address. | |
Immediate email reportImmediate email report
| |||
| Enabled: | Yes | Immediate e-mail reports are sent by default. |  |
| Notification types: | × Level 5 - Error × Level 6 - Critical × Level 7 - Alert × Level 8 - Emergency |
Further priority groups can be selected in the click box. If an event occurs or a threshold value associated with this group is exceeded, an e-mail is immediately sent. | |
| Limit: | 10 |
Immediate reports within | |
| Time frame: | 60 |
Minutes | |
Regular email report Regular email report
| |||
| Enabled: | Yes | Regular email reports are sent by default. This only happens if any event with a log level has occurred. Otherwise no report will be sent. If a report is desired nevertheless, this can be realized via the Unified Security Report. |
 |
| Notification types: | × Level 2 - Info × Level 3 - Notice × Level 4 - Warning × Level 5 - Error × Level 6 - Critical × Level 7 - Alert × Level 8 - Emergency |
In the click box further priority groups can be selected or deselected. Events configured with these syslog groups are listed in a regularly sent mail. | |
| Date: | : |
Click on the days of the week to select or deselect them. | |
Notifications
There are two different groups of notifications:
Threshold controlled notifications
These values can be specified:
| For the first and second report levels | |
|
, assigned to this level. |
|
Value, from which this level is reached |
| Name | Tolerated time exceeding the threshold values: Default value |
Threshold value 1 Default value Notification type: Severity Level |
Threshold value 2 Default value Notification type: Severity Level |
|---|---|---|---|
|
60 minutes | 70 % CPU utilization or higher Level 3 - Notice |
90 % Level 4 - Warning |
|
60 minutes | 70 % CPU utilization or higher Level 3 - Notice |
90 % Level 4 - Warning |
|
... | ... | |
|
60 minutes | 1.5 load average (5 minutes) or higher Average value of the last 5 minutes.
|
4 Level 5 - Error |
|
240 Minutes | 100 e-mails or more could not be processed yet and are in the mail queue Level 4 - Warning |
1000 emails Level 5 - Error |
|
0 Minutes | 20000 bytes / second or more Level 0 - No message |
200000 Bytes Level 0 - No message |
|
... | ... | |
|
0 Minutes | 20 % free disk space or less Level 4 - Warning |
10 % Level 5 - Error |
event-based notifications
For event-based notifications, a is directly assigned to the
Notification Type.
| Name | Message: | Default Syslog Group |
|---|---|---|
| AD/LDAP New value as of v11.8.5 |
Connection problems to Active Directory or LDAP server. | Level 4 - Warning |
| Cluster Switch New value as of v11.8.5 |
Cluster: Switching between MASTER and BACKUP. | Level 7 - Alert |
| DBUS Rule Policy New value as of v11.8.4 |
DBUS security violation detected. | Level 6 - Critical |
| DSL_VDSL | Dial-up problem over DSL or VDSL. | Level 4 - Warning |
| DynDNS-Client Account | Account error message of the DynDNS client. | Level 4 - Warning |
| DynDNS-Client Host | Host error message of the DynDNS client. | Level 4 - Warning |
| DynDNS-Client Server | Server error message of the DynDNS client. | Level 4 - Warning |
| Fallback-Interface | Fallback interface activated/deactivated. | Level 6 - Critical |
| HTTP-Proxy Workers New value as of v11.8.5 |
HTTP-Proxy: No more worker processes. For load balancing, the HTTP proxy squid outsources its services to worker processes. When all worker processes are terminated, the HTTP proxy no longer runs. |
Level 5 - Error |
| IPS Blocking | Blocked IP address messages due to incorrect logon. | Level 4 - Warning |
| License Error | License error messages. | Level 5 - Error |
| License Information | License information messages. | Level 3 - Notice |
| Mail Scanner | Mail scanner has detected a virus. | Level 5 - Error |
| Mailconnector Authentication | Mailconnector authentication problem to the e-mail provider. | Level 4 - Warning |
| Mailconnector Fetch | Mailconnector rejects an e-mail due to message size. | Level 4 - Warning |
| Mandatory Access Control (MAC) | Security breach detected (MAC)(until 11.8.3 labeled as tomoyo). | Level 6 - Critical |
| Shutdown Detection | Unclean shutdown detected. | Level 6 - Critical |
| Spamfilter-Cloud | Spam Filter can not connect to cloud. | Level 4 - Warning |
| Squid Virus Scanner | Squid (HTTP-Proxy) has detected a virus. | Level 5 - Error |
| SSL_VPN | Authentication failed with SSL VPN Cert&Auth. | Level 4 - Warning |
| Threat Intelligence Filter - FORWARD in 11.8.7 |
Forwarding to an IP address prevented by Threat Intelligence Filter. | Level 7 - Alert |
| Threat Intelligence Filter - OUTPUT in 11.8.7 |
Calling an IP address prevented by Threat Intelligence Filter. | Level 7 - Alert |
| Threat Intelligence Filter - INPUT in 11.8.7 |
External access from an IP address prevented by Threat Intelligence Filter. | Level 7 - Alert |
The settings are concluded with .
Result
Notifications are now sent to the specified mail address at the configured times and system states.
The subject of the messages is structured as follows: Subject:Alerting-Center (firewall-name): Report type. Where this means:
- Report → Regular report
- Error / Critical / Alert / Emergency → Syslog severity level of an immediate report
in 11.8.8 In the report the messages are first sorted by syslog level and then by date/time
Deactivation
If the Alerting Center function is not desired, the service can be deactivated:
Menu Entry Alerting Center (spalertd) Button:
This setting is saved and is kept even after a restart.