Jump to:navigation, search
Wiki

Alerting Center

(Redirected from Neu/UTM/AlertingCenter)
From Securepoint Wiki




































{{var | 1=Status--desc 

       | 2=Grüne Kontroll-Lampe bei einwandfreier Funktion. Zusätzliche Hinweise beim hovern: Die Anwendung 'Alerting Center' ist aktiviert.
 Die Anwendung 'Mailrelay' ist aktiviert.
 Weitere Informationen können im Anwendungsstatus-Dialog gefunden werden.

Siehe auch das Wiki für das Mailrelay. | 3=Green control lamp when functioning properly. Additional notes when hovering: The 'Alerting Centre' application is activated.
The 'Mailrelay' application is activated.
Further information can be found in the application status dialogue.

































































































De.png
En.png
Fr.png









Function, setup and configuration of the Alerting Center

Last adaptation to the version: 14.0.0

New:
Last updated: 
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Alerting Center


Introduction

The Alerting Center automatically sends emails with log events. This sets up monitoring of log events and simplifies monitoring. Error messages can be forwarded to the admin before a malfunction occurs or a malfunction can be detected more quickly.

The Alerting Center is always active by default as soon as a valid email address has been entered and the mail relay has been configured correctly.
It sends notifications by email to the global email address.
There are

  • Immediate reports that are sent immediately when an event occurs, and
  • Regular reports that are sent in a fixed period of time.
Priority groups can be assigned to different events


Requirements

For the Alerting Center to be able to send messages, the Mailrelay must be configured.
If no own mail server or no fixed public IP address is available, a Smarthost can be configured in the menu Applications Mailrelay .


Configuration

Menu Item Alerting Center


General

Caption Default Description Alerting Center UTMuser@firewall.name.fqdn Alerting Center Log UTM v12.6 Alertingcenter Allgemein-en.pngAlerting Center - General
Status:
Recipient: admin@ttt-point.de Here must be a valid mail address.
This is displayed in the menu Network Server Settings  Area Appliance settings
Firewall
global email address.
Sender: spalertd@firewall.ttt-point.local The sender address can be freely configured.
The default is spalertd@firewallname
Inform about expiring certificates: Yes Should remain activated so that certificates can be extended in good time.

Immediate email report

Enabled: Yes Immediate e-mail reports are sent by default UTM v12.6.2 Alerting Center Umgehender E-Mail Bericht-en.png
Alerting Center Immediate Email report
Send test report
notempty
New as of v12.6.0
 Sends a test report to the stored address or to the alternative recipient
Alternative recipient:     Here, an alternative recipient can be entered
Benachrichtigungstypen Level 5 - Urgent warning
Level 6 - Error
Level 7 - Critical
Level 8 - Alert
Level 9 - Emergency 		Es gibt zwei verschiedene Gruppen von Benachrichtigungen:
1. Level 1 - Debug 6. Level 6 - Error
2. Level 2 - Info 7. Level 7 - Critical
3. Level 3 - Notice 8. Level 8 - Alert
4. Level 4 - Warning 9. Level 9 - Emergency
5. Level 5 - Urgent warning
  1. Level 1 - Debug
  2. Level 2 - Info
  3. Level 3 - Notice
  4. Level 4 - Warning
  5. Level 5 - Urgent warning
  6. Level 6 - Error
  7. Level 7 - Critical
  8. Level 8 - Alert
  9. Level 9 - Emergency
Limit: 10Link= Reports Immediate reports for the same error within a time frame
Time frame: 60Link= Minutes Period after which reports are sent again until the maximum number is reached.

Regular email report

Enabled: Yes Regular email reports are sent by default.
 This only happens if any event with a log level has occurred. Otherwise, no report will be sent. If a report is desired nevertheless, this can be realized via the Unified Security Report. 		UTM v12.6.2 Alerting Center Regelmässiger E-Mail Bericht-en.png
Alerting Center - Regular mail report
Send test report
notempty
New as of v12.6.2
 Sends a test report to the stored address or to the alternative recipient
Alternative recipient:     Here, an alternative recipient can be entered
Benachrichtigungstypen Level 2 - Info
Level 3 - Notice
Level 4 - Warning
Level 5 - Urgent warning
Level 6 - Error
Level 7 - Critical
Level 8 - Alert
Level 9 - Emergency		 In the click box further priority groups can be selected or deselected.
Events configured with these syslog groups are listed in a regularly sent mail.
Date: Mon Tue Wed Thu Fri Sat Sun
08: 30		 Click on the days of the week to select or deselect them.

HTTP Request

HTTP Request
Enabled: No By default disabled.
If enabled, HTTP requests can be sent. Thereby, the alerting centre transmits an HTTP request to a defined address with defined content. 		UTM v12.6 Alerting Center Erweitert-en.png
Alerting Center - Extended
Benachrichtigungstypen     The notification types can be selected in the click box.
Content:     This is where the content is determined, and the structure should look like this:

<init> URL=xxx METHOD=xxx CONTENT_TYPE=xxx <body> My message. </body> </init>

Definition Placeholder
General
Status/Severity @@SEVERITY@@
Date and time @@DATE@@
Source @@SOURCE@@
general message @@MESSAGE@@
collectd spezifisch
current value @@CURRENT_VALUE@@
Instanz/Plugin @@INSTANCE@@
set limit @@LIMIT@@
Duration of the boundary crossing @@OVER_LIMIT@@
syslog specific
Log message programme @@PROGRAMM@@
Group of patterns found @@GROUP@@
Group message @@GROUP_MSG@@
Pattern name @@PATTERN@@
Message of the Pattern @@PATTERN_MSG@@
Log ID of the log message @@LOG_ID@@

Showcase with a paid service that can in turn forward the messages to a mobile phone app.
<init> URL=https://api.pushover.net/1/messages.json METHOD=POST CONTENT_TYPE=application/x-www-form-urlencoded <body> token=xxx&user=xxx&message=Created with Template Datum: @@DATE@@ Quelle: @@SOURCE@@ Schwere: @@SEVERITY@@ Nachricht: @@MESSAGE@@ {{#var:Weitere Informationen}}: (Collectd) Aktueller Wert: @@CURRENT_VALUE@@ Instance: @@INSTANCE@@ Grenzwert: @@LIMIT@@ Überschritten seit: @@OVER_LIMIT@@ (Syslog) Programm: @@PROGRAM@@ Gruppe: @@GROUP@@ Gruppen-Nachricht: @@GROUP_MSG@@ Pattern-Name: @@PATTERN@@ Pattern-Nachricht: @@PATTERN_MSG@@ Log-ID: @@LOG_ID@@ </body> </init>

  • The easiest way to send a test notification is to set the Threshold 1 for Memory space (DF) to 99% and display "Level 4 - Warning" and/or "Level 6 - Error" via the HTTP request.

  • After the test, the value for memory space (DF) must be reset to the original value.
    •

    Notifications

    Damit auf mögliche Probleme schnell reagiert werden kann gibt es Benachrichtigungen. Aktuelle Benachrichtigungen können jederzeit mithilfe der Schaltfläche Alert Meldungen anzeigen im Header angesehen werden. Die Zahl an der Schaltfläche beschreibt die Anzahl ungelesener Benachrichtigungen. UTM v14.0.0 AlertingCenter Benachrichtigungen Dropdown-en.png
    Benachrichtigungen Dropdown im Header
    Button Description
    Alle gelesen Alle Benachrichtigungen als gelesen markieren
    Ausgewählte gelesen Mit Checkbox ausgewählte Benachrichtigungen als gelesen markieren
    Benachrichtigungstypen
    Es gibt zwei verschiedene Gruppen von Benachrichtigungen:

    Threshold controlled notifications

    These values can be specified:
    Name: CPU 0 utilization user (CPU_0_User) Name of the respective notification type Edit Notification UTMuser@firewall.name.fqdn Alerting Center UTM v12.6 Alertingcenter Schwellenwert gesteuerte Benachrichtigungen bearbeiten-en.pngExample of threshold-driven notification
    Toleranced exceedance of threshold values: 60 Minutes Accepted duration of the overrun
    First notification level
    Notification type: Level 3 - Notice (Regularly) Select the desired notification type
    Threshold Value: 70 %CPU
    Utilization or higher     		Value from which this level is reached
    Second notification level
    Notification type: Level 4 - Warning (Regularly) Select the desired notification type
    Threshold Value: 90 %CPU
    Utilization or higher     		Value from which this level is reached


    Name: Toleranced exceedance of threshold values:
    Default     		Threshold Value: 1
    Default
    Notification type: Severity-Level         		Threshold Value: 2
    Default
    Notification type: Severity-Level
    • CPU 0 utilization user
      (CPU_0_USER)
    		 60 Minutes 70 % CPU utilization or higher
    Level 3 - Notice     		90%
    Level 4 - Warning
    • CPU 0 utilization system
      (CPU_0_USER)
    		 60 Minutes 70 % CPU utilization or higher
    Level 3 - Notice     		90%
    Level 4 - Warning
    • if required further CPUs
    		 ... ... ...
    • HDDTEMP
    		240 Minutes Hard disk temperature rises to 60°C or higher
    Level 4 - Warning     		70°C
    Level 6 - Error
    • LOAD
      Number of processes that are to be processed simultaneously.
    		 60 Minutes 1.5 load average (5 minutes) or higher.

    Average value of the last 5 minutes.
    Ideally, the load per processor should not exceed 1.
    Level 4 - Warning

    		4
    Level 5 - Urgent warning
    • Mailrelay (MAILQUEUE)
    		 240 Minutes 100 e-mails or more could not be processed yet and are in the mail queue
    Level 4 - Warning     		1000 E-Mails
    Level 6 - Error
    • Interface LAN1 (INTERFACE_LAN1)
    		 0 Minutes 20000 bytes / second or more
    Level 0 - No message     		200000 Bytes
    Level 0 - No message
    • All other existing interfaces and tunnels
    		 ... ... ...
    • Disk space (DF)
    		 0 Minutes 20 % free disk space or less
    Level 4 - Warning     		10%
    Level 5 - Urgent warning



    Event-based notifications

    For event-based notifications, a Syslog Priority Group is directly assigned to the Notification Type. Edit Notification UTMuser@firewall.name.fqdnAlerting Center UTM v12.6 Alertingcenter Ereignisse gesteuerte Benachrichtigungen bearbeiten-en.pngEvident-based notification example



    Name: Message: Default Syslog Group:
    ACME Errors Error messages for ACME certificates Level 6 - Error
    ACME Information ACME certificate messages Level 3 - Notice
    AD/LDAP Connection problems to Active Directory or LDAP server. Level 4 - Warning
    Bond Failure
    notempty
    New as of v14.0
    		 A malfunction has been detected. Level 8 - Alert
    Bond Information
    notempty
    New as of v14.0
    		 Bond events were detected. Level 2 - Info
    Cloud-Backup Regular cloud backup failed. Level 6 - Error
    Cluster Switch Cluster: Switching between MASTER and BACKUP. Level 8 - Alert
    Connection Tracking The maximum number of Conntrack entries has been reached Level 7 - Critical
    DBUS Rule Policy DBUS security violation detected. Level 7 - Critical
    Driver Error
    notempty
    New as of v14.0
    		 A driver malfunction has been detected. Level 6 - Error
    DSL/VDSL Dial-up problem over DSL or VDSL. Level 4 - Warning
    DynDNS-Client Account Account error message of the DynDNS client. Level 4 - Warning
    DynDNS-Client Host Host error message of the DynDNS client. Level 4 - Warning
    DynDNS-Client Server Server error message of the DynDNS client. Level 4 - Warning
    Fallback-Interface Fallback interface activated/deactivated. Level 7 - Critical
    Firmware Updates Firmware update messages Level 2 - Info
    Firmware Update Error Firmware update error messages Level 6 - Error
    GeoIP Objects Notifications from the GeoIP service Level 4 - Warning
    GeoIP Update GeoIP databases were updated. Level 2 - Info
    GeoIP Update Error Error updating the GeoIP databases. Databases were reset to their previous state. Level 4 - Warning
    HTTP-Proxy Workers HTTP-Proxy: No more worker processes.
    For load balancing, the HTTP proxy squid outsources its services to worker processes. When all worker processes are terminated, the HTTP proxy no longer runs.
    		Level 6 - Error
    IPS Blocking Blocked IP address messages due to incorrect logon Level 4 - Warning
    License Error License error messages Level 6 - Error
    License Information License information messages. Level 3 - Notice
    Mail Scanner Mail scanner has detected a virus Level 6 - Error
    Mailconnector Authentication Mailconnector authentication problem to the e-mail provider Level 6 - Error
    Mailconnector Fetch Mailconnector rejects an e-mail due to message size Level 4 - Warning
    Mailrelay Greylist Pass-All Mode Failed to reset greylisting database, greylisting module will be bypassed (deactivated). Level 7 - Critical
    Mailrelay Greylist Reset Failed to load greylisting database, greylisting database will be reset. Level 4 - Warning
    Mandatory Access Control (MAC) Security breach detected (MAC) Level 7 - Critical
    Network Interface Changes Change of a network interface detected. Level 4 - Warning
    Shutdown Detection Unclean shutdown detected Level 7 - Critical
    Spam Filter Cloud Spam Filter can not connect to cloud Level 4 - Warning
    Squid Virus Scanner Squid (HTTP proxy) has detected a virus Level 6 - Error
    SSL VPN Authentication failed with SSL VPN Cert&Auth Level 4 - Warning
    Threat Intelligence Filter - FORWARD Forwarding to an IP address prevented by Threat Intelligence Filter Level 8 - Alert
    Threat Intelligence Filter - OUTPUT Calling an IP address prevented by Threat Intelligence Filter Level 8 - Alert
    Threat Intelligence Filter - INPUT External access from an IP address prevented by Threat Intelligence Filter Level 8 - Alert
    USC PIN Block An incorrect USC PIN was entered multiple times for authentication on the UTM. Authentication via a PIN is thus blocked. Unlock the PIN in the UTM by authenticating yourself at the UTM with username and password (and OTP if necessary). Level 7 - Critical
    USC PIN Mismatch The verification of the USC PIN for authentication at the UTM failed. Level 6 - Error
    The settings are concluded with
    .

    Result

    Notifications are now sent to the specified mail address at the configured times and system states.
    The subject of the messages is structured as follows: Subject:Alerting-Center (firewall-name): Report type. Where this means:

    • Report → Regular report
    • Error / Critical / Alert / Emergency → Syslog severity level of an immediate report

    In the report the messages are first sorted by syslog level and then by date/time


    Example for Immediate email report
    Example for regular email report












    Functionality test

    The alerting center can send test reports to test the correct notification. The following CLI commands are used for this purpose: alertingcenter report test
    alertingcenter fast report test
    alertingcenter http request test

  • The subject of the test mails is exactly the same as that of real notifications.
    The email itself, however, contains clear indications that it is a test.
    • UTM v12.6 Alertingcenter Report.png
    alertingcenter report test















    Read out the messages via SNMP

    The alerting centre messages can also be read out via SNMP.

    Excerpt from the MIB:

    -- SUBTREE: 1.3.6.1.4.1.28553.2.1.9 -- iso.org.dod.internet.private.enterprises.securepoint.products.utm.alerts alerts OBJECT IDENTIFIER ::= { utm 9 } alertsTable OBJECT-TYPE SYNTAX SEQUENCE OF AlertsTableEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table containing information about alerts generated from UTM" ::= { alerts 1 }

    More information are available in the article abozt SNMP-Oids


    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/AlertingCenter&oldid=93820"