Alerting Center

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

{{var | 1=Status--desc

       | 2=Grüne Kontroll-Lampe bei einwandfreier Funktion. Zusätzliche Hinweise beim hovern: Die Anwendung 'Alerting Center' ist aktiviert.
 Die Anwendung 'Mailrelay' ist aktiviert.
Weitere Informationen können im Anwendungsstatus-Dialog gefunden werden.

Siehe auch das Wiki für das Mailrelay. | 3=Green control lamp when functioning properly. Additional notes when hovering: The 'Alerting Centre' application is activated.
The 'Mailrelay' application is activated.
Further information can be found in the application status dialogue.

Function, setup and configuration of the Alerting Center

Last adaption: 12.4

New:

For regular and immediate reports, an alternative recipient can be saved
Hard disk temperature as threshold controlled alert
More new Event-driven alerts
New function: HTTP Request

notempty

This article refers to a Resellerpreview

12.2 11.8.8

Introduction

The Alerting Center automatically sends e-mails with log events. This sets up monitoring of log events and simplifies monitoring. Error messages can be forwarded to the admin before a malfunction occurs or a malfunction can be detected more quickly.

The Alerting Center is always active by default as soon as a valid e-mail address has been entered and the mail relay has been configured correctly.
The Alerting Center sends notifications by e-mail to the global e-mail address.
There are

Immediate reports that are sent immediately when an event occurs, and
Regular reports that are sent in a fixed period of time.

Priority groups can be assigned to different events

Requirements

For the Alerting Center to be able to send messages, the Mailrelay must be configured.
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu → Applications →Mailrelay.

Configuration

Menu Item → Alerting Center

General

Caption

Default:

Description

UTM v12.4 Alertingcenter Allgemein-en.png

Alerting Center - General

Status:

Recipient:

admin@ttt-point.de

Here must be a valid mail address.
This is displayed in the menu Tab Appliance settings →global email address.

Sender

spalertd@firewall.ttt-point.local

The sender address can be freely configured.
The default is spalertd@firewallname

Immediate email report

Enabled:

Yes

Immediate e-mail reports are sent by default

UTM v12.4 Alerting Center Umgehender E-Mail Bericht-en.png

Alternative recipient: notempty

12.4

Here, an alternative recipient can be entered

Notification types:

×Level 5 - Urgent warning
× Level 6 - Error
× Level 7 - Critical
× Level 8 - Alert
× Level 9 - Emergency

Further priority groups can be selected in the click box.

If an event occurs or a threshold value associated with this group is exceeded, an e-mail is immediately sent.

1. ×Level 1 - Debug	6. ×Level 6 - Error
2. ×Level 2 - Info	7. ×Level 7 - Critical
3. ×Level 3 - Notice	8. ×Level 8 - Alert
4. ×Level 4 - Warning	9. ×Level 9 - Emergency
5. ×Level 5 - Urgent warning

× Level 1 - Debug
× Level 2 - Info
× Level 3 - Notice
× Level 4 - Warning
× Level 5 - Urgent warning
× Level 6 - Error
× Level 7 - Critical
× Level 8 - Alert
× Level 9 - Emergency

Limit:

10

Reports

Immediate reports for the same error within a time frame

Time frame:

60

Minutes

Period after which reports are sent again until the maximum number is reached.

Regular email report

Enabled:

Yes

Regular email reports are sent by default.

This only happens if any event with a log level has occurred. Otherwise, no report will be sent. If a report is desired nevertheless, this can be realized via the Unified Security Report.

UTM v12.4 Alerting Center Regelmässiger E-Mail Bericht-en.png

Alerting Center - Regular mail report

Alternative recipient: notempty

12.4

Here, an alternative recipient can be entered

Notification types:

×Level 2 - Info
×Level 3 - Notice
×Level 4 - Warning
×Level 5 - Urgent warning
×Level 6 - Error
×Level 7 - Critical
×Level 8 - Alert
×Level 9 - Emergency

In the click box further priority groups can be selected or deselected.
Events configured with these syslog groups are listed in a regularly sent mail.

Date:

Mon Tue Wed Thu Fri Sat Sun
:

Click on the days of the week to select or deselect them.

HTTP Request

HTTP Request notempty

12.4

Enabled:

No

By default disabled.
If enabled, HTTP requests can be sent. Thereby, the alerting centre transmits an HTTP request to a defined address with defined content.

Alerting Center - HTTP Request

Notification types:

The notification types can be selected in the click box.

Content:

This is where the content is determined, and the structure should look like this:

<init> URL=xxx METHOD=xxx CONTENT_TYPE=xxx <body> My message. </body> </init>

Definition	Placeholder
General
Status/Severity	@@SEVERITY@@
Date and time	@@DATE@@
Source	@@SOURCE@@
general message	@@MESSAGE@@
collectd spezifisch
current value	@@CURRENT_VALUE@@
Instanz/Plugin	@@INSTANCE@@
set limit	@@LIMIT@@
Duration of the boundary crossing	@@OVER_LIMIT@@
syslog specific
Log message programme	@@PROGRAMM@@
Group of patterns found	@@GROUP@@
Group message	@@GROUP_MSG@@
Pattern name	@@PATTERN@@
Message of the Pattern	@@PATTERN_MSG@@
Log ID of the log message	@@LOG_ID@@

Musterbeispiel mit einem kostenpflichtigen Dienst, der seinerseits die Nachrichten an eine Handy-App weiterleiten kann. <init> URL=https://api.pushover.net/1/messages.json METHOD=POST CONTENT_TYPE=application/x-www-form-urlencoded <body> token=xxx&user=xxx&message=Created with Template Datum: @@DATE@@ Quelle: @@SOURCE@@ Schwere: @@SEVERITY@@ Nachricht: @@MESSAGE@@ Weitere Informationen: (Collectd) Aktueller Wert: @@CURRENT_VALUE@@ Instance: @@INSTANCE@@ Grenzwert: @@LIMIT@@ Überschritten seit: @@OVER_LIMIT@@ (Syslog) Programm: @@PROGRAM@@ Gruppe: @@GROUP@@ Gruppen-Nachricht: @@GROUP_MSG@@ Pattern-Name: @@PATTERN@@ Pattern-Nachricht: @@PATTERN_MSG@@ Log-ID: @@LOG_ID@@ </body> </init>

Notifications

There are two different groups of notifications:

Threshold controlled notifications

These values can be specified:

Name:

CPU 0 utilization user (CPU_0_User)

Name of the respective notification type

Example of threshold-driven notification

Toleranced exceedance of threshold values:

60 Minutes

Accepted duration of the overrun

First notification level

Notification type:

Level 3 - Notice (Regularly)

Select the desired notification type

Threshold Value:

70 %CPU
Utilization or higher

Value from which this level is reached

Second notification level

Notification type:

Level 4 - Warning (Regularly)

Select the desired notification type

Threshold Value:

90 %CPU
Utilization or higher

Value from which this level is reached

Name:	Toleranced exceedance of threshold values: Default	Threshold Value: 1 Default Notification type: Severity-Level	Threshold Value: 2 Default Notification type: Severity-Level
CPU 0 utilization user (CPU_0_USER)	60 Minutes	70 % CPU utilization or higher Level 3 - Notice	90% Level 4 - Warning
CPU 0 utilization system (CPU_0_USER)	60 Minutes	70 % CPU utilization or higher Level 3 - Notice	90% Level 4 - Warning
if required further CPUs	...	...	...
HDDTEMP notempty 12.4.1	240 Minutes	Hard disk temperature rises to 60°C or higher Level 4 - Warning	70°C Level 6 - Error
LOAD Number of processes that are to be processed simultaneously.	60 Minutes	1.5 load average (5 minutes) or higher. Average value of the last 5 minutes. Ideally, the load per processor should not exceed 1. Level 4 - Warning	4 Level 5 - Urgent warning
Mailrelay (MAILQUEUE)	240 Minutes	100 e-mails or more could not be processed yet and are in the mail queue Level 4 - Warning	1000 emails Level 6 - Error
Interface eth0 (INTERFACE_eth0)	0 Minutes	20000 bytes / second or more Level 0 - No message	200000 Bytes Level 0 - No message
All other existing interfaces and tunnels	...	...	...
Disk space (DF)	0 Minutes	20 % free disk space or less Level 4 - Warning	10% Level 5 - Urgent warning

Event-based notifications

For event-based notifications, a Syslog Priority Group is directly assigned to the Notification Type.			Evident-based notification example

Name:	Message:	Default Syslog Group:
ACME Errors notempty 12.4	Error messages for ACME certificates	Level 6 - Error
ACME Information notempty 12.4	ACME certificate messages	Level 3 - Notice
AD/LDAP	Connection problems to Active Directory or LDAP server.	Level 4 - Warning
Cloud-Backup notempty 12.4	Regular cloud backup failed.	Level 6 - Error
Cluster Switch	Cluster: Switching between MASTER and BACKUP.	Level 8 - Alert
Connection Tracking notempty 12.4	The maximum number of Conntrack entries has been reached	Level 7 - Critical
DBUS Rule Policy	DBUS security violation detected.	Level 7 - Critical
DSL_VDSL	Dial-up problem over DSL or VDSL.	Level 4 - Warning
DynDNS-Client Account	Account error message of the DynDNS client.	Level 4 - Warning
DynDNS-Client Host	Host error message of the DynDNS client.	Level 4 - Warning
DynDNS-Client Server	Server error message of the DynDNS client.	Level 4 - Warning
Fallback-Interface	Fallback interface activated/deactivated.	Level 7 - Critical
Firmware Updates notempty 12.4	Firmware update messages	Level 2 - Info
GeoIP Objects	Notifications from the GeoIP service	Level 4 - Warning
GeoIP Update notempty 12.4	GeoIP databases were updated.	Level 2 - Info
GeoIP Update Error notempty 12.4	Error updating the GeoIP databases. Databases were reset to their previous state.	Level 4 - Warning
HTTP-Proxy Workers	HTTP-Proxy: No more worker processes. For load balancing, the HTTP proxy squid outsources its services to worker processes. When all worker processes are terminated, the HTTP proxy no longer runs.	Level 6 - Error
IPS Blocking	Blocked IP address messages due to incorrect logon	Level 4 - Warning
License Error	License error messages	Level 6 - Error
License Information	License information messages.	Level 3 - Notice
Mail Scanner	Mail scanner has detected a virus	Level 6 - Error
Mailconnector Authentication	Mailconnector authentication problem to the e-mail provider	Level 6 - Error
Mailconnector Fetch	Mailconnector rejects an e-mail due to message size	Level 4 - Warning
Mailrelay Greylist Pass-All Mode notempty 12.4	Failed to reset greylisting database, greylisting module will be bypassed (deactivated).	Level 7 - Critical
Mailrelay Greylist Reset notempty 12.4	Failed to load greylisting database, greylisting database will be reset.	Level 4 - Warning
Mandatory Access Control (MAC)	Security breach detected (MAC)	Level 7 - Critical
Network Interface Changes notempty 12.4	Change of a network interface detected.	Level 4 - Warning
Shutdown Detection	Unclean shutdown detected	Level 7 - Critical
Spam Filter Cloud	Spam Filter can not connect to cloud	Level 4 - Warning
Squid Virus Scanner	Squid (HTTP-Proxy) has detected a virus	Level 6 - Error
SSL_VPN	Authentication failed with SSL VPN Cert&Auth	Level 4 - Warning
Threat Intelligence Filter - FORWARD	Forwarding to an IP address prevented by Threat Intelligence Filter	Level 8 - Alert
Threat Intelligence Filter - OUTPUT	Calling an IP address prevented by Threat Intelligence Filter	Level 8 - Alert
Threat Intelligence Filter - INPUT	External access from an IP address prevented by Threat Intelligence Filter	Level 8 - Alert

The settings are concluded with Save.

Result

Notifications are now sent to the specified mail address at the configured times and system states.
The subject of the messages is structured as follows: Subject:Alerting-Center (firewall-name): Report type. Where this means:

Report → Regular report
Error / Critical / Alert / Emergency → Syslog severity level of an immediate report

In the report the messages are first sorted by syslog level and then by date/time

Example for Immediate email report

Example for regular email report

Deactivation

If the Alerting Center function is not desired, the service can be deactivated:

Menu → Applications →Application Status Entry Alerting Center (spalertd) Button: ■ Stop

This setting is saved and is kept even after a restart.