Creating thresholds and notifications¶
Thresholds are used to receive notification of:
potential problems on network devices
excessive utilization on interfaces
devices that appear to be down
violation of algorithms in flow analytics
This guide will demonstrate how to properly set thresholds and set up notifications based on violations.
Setting the global threshold¶
Scrutinizer relies on the SNMP poller to determine the link speed of an interface. These values are used to calculate interface utilization percentages.
Link speed is commonly referred to as ifSpeed
The link speed can also be changed manually per interface
When the interface utilization percentage reaches a specific level, an alarm is triggered to indicate high utilization. The default utilization percentage set in Scrutinizer is 90%. Depending on the link speed(s) received from the SNMP poller, admins may want to increase or decrease the values obtained from polling the device. To change the Global threshold for utilization, navigate as follows:
Admin Tab>Settings>System Preferences
Scroll down to Threshold – Utilization
Edit the percentage as needed
Click Save
Applying a notification to the global threshold¶
Once the ifSpeed is set and the global threshold is set, notification can be applied. This notification can be in a number of forms (email, logfile, syslog, snmptrap, script, and auto-acknowledge), and will send an alert when the threshold is breached. To add a notification to the global threshold policy, navigate to:
Admin Tab>Definitions>Alarm Policies
Enter ‘Interface Threshold Violation’ in the search field
Click the Search button
Then click on the ‘Interface Threshold Violation’ Policy when it’s displayed
Next, go to the New Notification subtab, use the dropdowns to select and configure a Notification Profile and then click the Save button.
How to create a notification that is sent via email¶
Example:
I want to run a default report that monitors total bandwidth on a particular interface.
When it exceeds a threshold that I will specify, I want to have it send an email to me.
Creating the notification profile to use¶
Notification profiles can be created once and applied to multiple policies. Enter the necessary data and select additional details from the Available Variables for Message list to ensure the desired information is included in the alert.
Available notification methods:
Email: send an email alert
Enter the email address the alert is destined for in the “To” field
Note
An email server must be configured in Scrutinizer for these alerts to function. If the email server has not yet been configured in Scrutinizer, click the “Configure” button to set that up.
Logfile: add alert message to a file
Enter log file name with the absolute file path of:
/home/plixer/scrutinizer/files/logs/{logfile_name.txt}
Note
Log files must be placed at this location.
Syslog: send syslog alert to Host address.
Required fields are:
Host: Target server address
UDP Port: Target server port (default 514)
Priority
Facility
SnmpTrap: send snmptrap alert to Host address.
Required fields are:
Host: Target server
Community String
UDP Port
Enterprise OID
Generic ID
Specific ID
Binding OID
From Host
Script: trigger action defined in Script.
Required fields are:
Script: /home/plixer/scrutinizer/files/{alert_script.sh}
Note: Script must be placed in this folder and absolute path must be included in the Script field.
Command-line Arguments: Variables to include in the script from the Available Variables list below.
Auto Acknowledge: automatically acknowledge policy alarms
Policy To Acknowledge: select target policy from dropdown list
ServiceNow - Ticket: automatically create a ServiceNow ticket with the Event message as the description
CEF: send CEF notification with Event details to a host address
If multiple notification alerts are added to the same notification profile, the order of notification can be re-ordered by entering lower or higher numbers to the left of each notification and clicking the Save button.
Available variables for message¶
%m |
Message |
%v |
Violator Address |
%h |
Host |
%p |
Protocol |
%pol |
Policy Violated |
%notes |
Policy Notes |
%id |
Alarm ID |
Adding a threshold that sends an email notification¶
Now that a notification profile has been set up, a report which will trigger an email alert can be configured. Adding a threshold to a report requires that the report first be Saved.
Use the following steps to create a Saved Report.
Go to the Status tab to bring up the Top Interfaces view
Click on the interface name for the reports available list
Select Top Reports > Applications Defined from the report menu. This will launch a report for the last 24 hours.
To save this report:
In the upper left, enter a name in the report text box
Click the Save icon above the report name
Next, in the Saved Report, click the Filters/Details button on the left. Click the Threshold tab in the modal. The threshold will use the parameters already defined in the report (Total vs. Rate, Bits or Bytes, etc.)
Enter a threshold for the Total amount of traffic reported, or Per Row, which tells Scrutinizer to look at each line in the report table and match it against the threshold. This is useful for applying thresholds to Users or Applications.
After completing the fields in the modal, click the Save Threshold button and another window will open prompting the user to select a Notification Profile.
Click the dropdown list that says ‘None’ and select the profile that was created earlier, then click Save.
To create a new Notification profile, click the Manage Notifications button.
Notice that the Notification Profile was added to the Threshold.
With the threshold set, any time traffic on the specified interface exceeds the value set, an email alert including the specific violation information will be sent.
If any assistance is needed, please contact us.