notempty
- Messages of the GeoIP service generate a notification
- The email address for the sender is now freely configurable
Introduction
The Alerting Center automatically sends e-mails with log events. This sets up monitoring of log events and simplifies monitoring. Error messages can be forwarded to the admin before a malfunction occurs or a malfunction can be detected more quickly.
The Alerting Center is always active by default as soon as a valid e-mail address has been entered and the mail relay has been configured correctly.
The Alerting Center sends notifications by e-mail to the global e-mail address.
There are
- Immediate reports that are sent immediately when an event occurs, and
- Regular reports that are sent in a fixed period of time.
Requirements
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu .
Configuration
General
Caption: | Default: | Description: | |
---|---|---|---|
Status: | ⬤ | Should be green, otherwise please check the Mailrelay | |
Recipient: | admin@ttt-point.de | Here must be a valid mail address. This is displayed in the menu Tab Appliance settings →global email address. | |
Sender | spalertd@firewall.ttt-point.local | The sender address can be freely configured. The default is spalertd@firewallname New as of 12.2.3
| |
Immediate email report | |||
Enabled: | Yes | Immediate e-mail reports are sent by default. | |
Notification types: | ×Level 5 - Urgent warning × Level 6 - Error × Level 7 - Critical × Level 8 - Alert × Level 9 - Emergency |
Further priority groups can be selected in the click box.
If an event occurs or a threshold value associated with this group is exceeded, an e-mail is immediately sent. | |
Limit: | 10 | Immediate reports within | |
Time frame: | 60 | Minutes | |
Regular email report | |||
Enabled: | Yes | Regular email reports are sent by default. This only happens if any event with a log level has occurred. Otherwise, no report will be sent. If a report is desired nevertheless, this can be realized via the Unified Security Report.
|
|
Notification types: | ×Level 2 - Info ×Level 3 - Notice ×Level 4 - Warning ×Level 5 - Urgent warning ×Level 6 - Error ×Level 7 - Critical ×Level 8 - Alert ×Level 9 - Emergency |
In the click box further priority groups can be selected or deselected. Events configured with these syslog groups are listed in a regularly sent mail. | |
Date: | : |
Click on the days of the week to select or deselect them. | |
Notifications Notifications
| |||
There are two different groups of notifications: | |||
Threshold controlled notifications | |||
These values can be specified: | |||
Name: | CPU 0 utilization user (CPU_0_User) | Name of the respective notification type | |
Toleranced exceedance of threshold values: | 60 Minutes | Accepted duration of the overrun | |
First notification level
| |||
Notification type: | Level 3 - Notice (Regularly) | Select the desired notification type | |
Threshold Value: | 70 %CPU Utilization or higher |
Value from which this level is reached | |
Second notification level
| |||
Notification type: | Level 4 - Warning (Regularly) | Select the desired notification type | |
Threshold Value: | 90 %CPU Utilization or higher |
Value from which this level is reached | |
Name: | Toleranced exceedance of threshold values: Default |
Threshold Value: 1 Default Notification type: Severity-Level |
Threshold Value: 2 Default Notification type: Severity-Level |
---|---|---|---|
|
60 Minutes | 70 % CPU utilization or higher Level 3 - Notice |
90% Level 4 - Warning |
|
60 Minutes | 70 % CPU utilization or higher Level 3 - Notice |
90% Level 4 - Warning |
|
... | ... | ... |
|
60 Minutes | 1.5 load average (5 minutes) or higher Average value of the last 5 minutes. |
4 Level 5 - Urgent warning |
|
240 Minutes | 100 e-mails or more could not be processed yet and are in the mail queue Level 4 - Warning |
1000 emails Level 6 - Error |
|
0 Minutes | 20000 bytes / second or more Level 0 - No message |
200000 Bytes Level 0 - No message |
|
... | ... | ... |
|
0 Minutes | 20 % free disk space or less Level 4 - Warning |
10% Level 5 - Urgent warning |
Event-based notifications
For event-based notifications, a Notification Type. | is directly assigned to the|||
Name: | Message: | Default Syslog Group: |
---|---|---|
AD/LDAP | Connection problems to Active Directory or LDAP server. | Level 4 - Warning |
Cluster Switch |
Cluster: Switching between MASTER and BACKUP. | Level 8 - Alert |
DBUS Rule Policy | DBUS security violation detected. | Level 7 - Critical |
DSL_VDSL | Dial-up problem over DSL or VDSL. | Level 4 - Warning |
DynDNS-Client Account | Account error message of the DynDNS client. | Level 4 - Warning |
DynDNS-Client Host | Host error message of the DynDNS client. | Level 4 - Warning |
DynDNS-Client Server | Server error message of the DynDNS client. | Level 4 - Warning |
Fallback-Interface | Fallback interface activated/deactivated. | Level 7 - Critical |
GeoIP Objects New as of 12.2.3 |
Notifications from the GeoIP service | Level 4 - Warning |
HTTP-Proxy Workers New value as of v11.8.5 |
HTTP-Proxy: No more worker processes. For load balancing, the HTTP proxy squid outsources its services to worker processes. When all worker processes are terminated, the HTTP proxy no longer runs. |
Level 6 - Error |
IPS Blocking | Blocked IP address messages due to incorrect logon | Level 4 - Warning |
License Error | License error messages | Level 6 - Error |
License Information | License information messages. | Level 3 - Notice |
Mail Scanner | Mail scanner has detected a virus | Level 6 - Error |
Mailconnector Authentication | Mailconnector authentication problem to the e-mail provider | Level 6 - Error |
Mailconnector Fetch | Mailconnector rejects an e-mail due to message size | Level 4 - Warning |
Mandatory Access Control (MAC) | Security breach detected (MAC) (until 11.8.3 labeled as tomoyo) | Level 7 - Critical |
Shutdown Detection | Unclean shutdown detected | Level 7 - Critical |
Spamfilter-Cloud | Spam Filter can not connect to cloud | Level 4 - Warning |
Squid Virus Scanner | Squid (HTTP-Proxy) has detected a virus | Level 6 - Error |
SSL_VPN | Authentication failed with SSL VPN Cert&Auth | Level 4 - Warning |
Threat Intelligence Filter - FORWARD | Forwarding to an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
Threat Intelligence Filter - OUTPUT | Calling an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
Threat Intelligence Filter - INPUT | External access from an IP address prevented by Threat Intelligence Filter | Level 8 - Alert |
Result
Notifications are now sent to the specified mail address at the configured times and system states.
The subject of the messages is structured as follows: Subject:Alerting-Center (firewall-name): Report type. Where this means:
- Report → Regular report
- Error / Critical / Alert / Emergency → Syslog severity level of an immediate report
Deactivation
If the Alerting Center function is not desired, the service can be deactivated:
Menu Alerting Center (spalertd) Button:
EntryThis setting is saved and is kept even after a restart.