notempty
notempty
notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty
Der Artikel für die neueste Version steht hier
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht
Function, setup and configuration of the Alerting Center
Last adaptation to the version: 12.2.3
New:
- Messages of the GeoIP service generate a notification
- The email address for the sender is now freely configurable
notempty
This article refers to a Resellerpreview
Introduction
The Alerting Center automatically sends e-mails with log events. This sets up monitoring of log events and simplifies monitoring. Error messages can be forwarded to the admin before a malfunction occurs or a malfunction can be detected more quickly.
The Alerting Center is always active by default as soon as a valid e-mail address has been entered and the mail relay has been configured correctly.
The Alerting Center sends notifications by e-mail to the global e-mail address.
There are
- Immediate reports that are sent immediately when an event occurs, and
- Regular reports that are sent in a fixed period of time.
Requirements
For the Alerting Center to be able to send messages, the Mailrelay must be configured.
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu .
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu .
Configuration
Menu Item
General
| Caption: | Default: | Description: |  |
|---|---|---|---|
| Status: | ⬤ | Should be green, otherwise please check the Mailrelay | |
| Recipient: | admin@ttt-point.de | Here must be a valid mail address. This is displayed in the menu Tab Appliance settings →global email address. | |
| Sender | spalertd@firewall.ttt-point.local | The sender address can be freely configured. The default is spalertd@firewallname New as of 12.2.3
| |
Immediate email report | |||
| Enabled: | Yes | Immediate e-mail reports are sent by default. |  |
| Notification types: | ×Level 5 - Urgent warning × Level 6 - Error × Level 7 - Critical × Level 8 - Alert × Level 9 - Emergency |
Further priority groups can be selected in the click box.
If an event occurs or a threshold value associated with this group is exceeded, an e-mail is immediately sent. | |
| Limit: | 10 |
Immediate reports within | |
| Time frame: | 60 |
Minutes | |
Regular email report | |||
| Enabled: | Yes | Regular email reports are sent by default. This only happens if any event with a log level has occurred. Otherwise, no report will be sent. If a report is desired nevertheless, this can be realized via the Unified Security Report.
|
 |
| Notification types: | ×Level 2 - Info ×Level 3 - Notice ×Level 4 - Warning ×Level 5 - Urgent warning ×Level 6 - Error ×Level 7 - Critical ×Level 8 - Alert ×Level 9 - Emergency |
In the click box further priority groups can be selected or deselected. Events configured with these syslog groups are listed in a regularly sent mail. | |
| Date: | : |
Click on the days of the week to select or deselect them. | |
Notifications Notifications
| |||
| There are two different groups of notifications: | |||
Threshold controlled notifications | |||
| These values can be specified: | |||
| Name: | CPU 0 utilization user (CPU_0_User) | Name of the respective notification type |  |
| Toleranced exceedance of threshold values: | 60 Minutes | Accepted duration of the overrun | |
First notification level
| |||
| Notification type: | Level 3 - Notice (Regularly) | Select the desired notification type | |
| Threshold Value: | 70 %CPU Utilization or higher |
Value from which this level is reached | |
Second notification level
| |||
| Notification type: | Level 4 - Warning (Regularly) | Select the desired notification type | |
| Threshold Value: | 90 %CPU Utilization or higher |
Value from which this level is reached | |
| Name: | Toleranced exceedance of threshold values: Default |
Threshold Value: 1 Default Notification type: Severity-Level |
Threshold Value: 2 Default Notification type: Severity-Level |
|---|---|---|---|
|
60 Minutes | 70 % CPU utilization or higher Level 3 - Notice |
90% Level 4 - Warning |
|
60 Minutes | 70 % CPU utilization or higher Level 3 - Notice |
90% Level 4 - Warning |
|
... | ... | ... |
|
60 Minutes | 1.5 load average (5 minutes) or higher Average value of the last 5 minutes. |
4 Level 5 - Urgent warning |
|
240 Minutes | 100 e-mails or more could not be processed yet and are in the mail queue Level 4 - Warning |
1000 emails Level 6 - Error |
|
0 Minutes | 20000 bytes / second or more Level 0 - No message |
200000 Bytes Level 0 - No message |
|
... | ... | ... |
|
0 Minutes | 20 % free disk space or less Level 4 - Warning |
10% Level 5 - Urgent warning |
Event-based notifications
| For event-based notifications, a is directly assigned to the Notification Type. |  | ||
| Name: | Message: | Default Syslog Group: |
|---|---|---|
| AD/LDAP | Connection problems to Active Directory or LDAP server. | Level 4 - Warning |
| Cluster Switch |
Cluster: Switching between MASTER and BACKUP. | Level 8 - Alert |
| DBUS Rule Policy | DBUS security violation detected. | Level 7 - Critical |
| DSL_VDSL | Dial-up problem over DSL or VDSL. | Level 4 - Warning |
| DynDNS-Client Account | Account error message of the DynDNS client. | Level 4 - Warning |
| DynDNS-Client Host | Host error message of the DynDNS client. | Level 4 - Warning |
| DynDNS-Client Server | Server error message of the DynDNS client. | Level 4 - Warning |
| Fallback-Interface | Fallback interface activated/deactivated. | Level 7 - Critical |
| GeoIP Objects New as of 12.2.3 |
Notifications from the GeoIP service | Level 4 - Warning |
| HTTP-Proxy Workers New value as of v11.8.5 |
HTTP-Proxy: No more worker processes. For load balancing, the HTTP proxy squid outsources its services to worker processes. When all worker processes are terminated, the HTTP proxy no longer runs. |
Level 6 - Error |
| IPS Blocking | Blocked IP address messages due to incorrect logon | Level 4 - Warning |
| License Error | License error messages | Level 6 - Error |
| License Information | License information messages. | Level 3 - Notice |
| Mail Scanner | Mail scanner has detected a virus | Level 6 - Error |
| Mailconnector Authentication | Mailconnector authentication problem to the e-mail provider | Level 6 - Error |
| Mailconnector Fetch | Mailconnector rejects an e-mail due to message size | Level 4 - Warning |
| Mandatory Access Control (MAC) | Security breach detected (MAC) (until 11.8.3 labeled as tomoyo) | Level 7 - Critical |
| Shutdown Detection | Unclean shutdown detected | Level 7 - Critical |
| Spamfilter-Cloud | Spam Filter can not connect to cloud | Level 4 - Warning |
| Squid Virus Scanner | Squid (HTTP-Proxy) has detected a virus | Level 6 - Error |
| SSL_VPN | Authentication failed with SSL VPN Cert&Auth | Level 4 - Warning |
| Threat Intelligence Filter - FORWARD | Forwarding to an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
| Threat Intelligence Filter - OUTPUT | Calling an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
| Threat Intelligence Filter - INPUT | External access from an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
The settings are concluded with .
Result
Notifications are now sent to the specified mail address at the configured times and system states.
The subject of the messages is structured as follows: Subject:Alerting-Center (firewall-name): Report type. Where this means:
- Report → Regular report
- Error / Critical / Alert / Emergency → Syslog severity level of an immediate report
Deactivation
If the Alerting Center function is not desired, the service can be deactivated:
Menu Entry Alerting Center (spalertd) Button:
This setting is saved and is kept even after a restart.