Alert Logic Log Manager alert rules
Alert Logic provides two types of alert rules in Log Manager to protect you operationally and improve security:
- Collection alert rules assist with operations monitoring and trigger when Alert Logic does not collect log messages from a log source in the time window you provide. For example, you can configure a collection alert to send an email if a firewall that sends log messages often does not send any after an hour.
- Correlation alert rules can improve your security posture. They trigger when Alert Logic detects log messages that match criteria you give, including the message type. For example, you can configure a correlation alert to send an email if a correlation policy detects more than five failed logins to a server in 15 minutes.
Access Log Management alert rules
To access the Log Manager Alert Rules page, click CONFIGURATION, click Log Management, and then click Alert Rules.
Work with collection alert rules
Create and apply a collection alert rule
You can create a collection alert in Alert Logic Log Manager to notify you if Alert Logic does not receive log messages for some log sources for a period of time.
First you create the alert, which defines the email addresses that receive alerts and the conditions that trigger the alert. Then you associate the alert rule with specific log sources to monitor.
To create a collection alert rule:
- Navigate to the Log Management Alert Rules page, and then click Collection.
- Click the Add icon ().
- In Collection Alert Name, type a descriptive name.
- In Time Before Alert is Triggered, type a number of minutes. If Alert Logic collects no logs in this time, an alert is triggered.
- In Time Between Alert Occurrences, type a number of minutes. This time period specifies how frequently Alert Logic sends the collection alert again when collection of log messages is interrupted for a long period of time.
You cannot specify a number value greater than 3,600.
- In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma. You can also search for an email address in the drop-down menu.
- Select Send Alert Once to receive alerts only once.
- Click Save
After you create the collection alert, you must apply the alert to a log source.
To apply the collection alert to a log source:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the deployment tile you want to modify.
- In the left navigation area, click Log Sources
- In Select Filters, type or select a Source Type (you may need to scroll down the list to find the source types).
- Click the gear icon ().
- Select Mass Edit.
- In Apply changes to, select All Sources for all sources or Only Filtered Sources to choose an individual log source from the table.
- In Replace Collection Alerts, select your collection alert.
- Click Save.
Update a collection alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To update a collection alert rule:
- Navigate to the Log Management Alert Rules page, and then click Collection.
- Click the pencil icon ( ) on the alert rule you want to update.
- In Collection Alert Name, type a descriptive name.
- In Time Before Alert is Triggered, type a number of minutes. If Alert Logic collects no logs in this time, an alert is triggered.
- In Time Between Alert Occurrences, type a number of minutes. This time period specifies how frequently Alert Logic sends the collection alert again when collection of log messages is interrupted for a long period of time.
You cannot specify a numeric value greater than 3,600.
- In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma. You can also search for an email address in the drop-down menu.
- Select Send Alert Once to receive alerts only once.
- Click Update.
Delete a collection alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To delete a collection alert rule:
- Navigate to the Log Management Alert Rules page, and then click Collection.
- Click the trash icon ( ) on the alert rule you want to delete.
- Click Delete.
Work with Correlation alert rules
Create a correlation alert rule
To create a correlation alert rule:
- Navigate to the Log Management Alert Rules page, and then click Correlation.
- Click the Add icon ().
- In Correlation Name, type a descriptive name.
- In Time Between Alert Occurrences, type a number of minutes. This time period specifies how frequently Alert Logic sends the correlation alert.
You must specify a numeric value between 10 and 3,600.
- Select an option for Trigger an alert when the message type is.
- To trigger an alert when the message type is in the select message types, select in the selected message types.
- To trigger an alert when the message type is not in the select message types, select NOT in the selected message types.
- Select Include message text to include the message text, and then in Message Types, select one or more options.
- In the Email Addresses field, select from the list of contacts you want to receive alerts.
- Click Save.
Update a correlation alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To update a correlation alert rule:
- Navigate to the Log Management Alert Rules page, and then click Correlation.
- Click the pencil icon ( ) on the alert rule you want to update.
- In Name, type a descriptive name.
- In Time Between Alert Occurrences, type a number of minutes. This time period specifies how frequently Alert Logic sends the correlation alert.
You cannot specify a numeric value greater than 3,600.
-
Select an option for Trigger an alert when the message type is.
- To trigger an alert when the message type is in the select message types, select in the selected message types.
- To trigger an alert when the message type is not in the select message types, select NOT in the selected message types.
- Select Include message text to include the message text, and then in Message Types, select one or more options.
- In the Email Addresses field, select from the list of contacts you want to receive alerts.
- Click Update.
Delete a correlation alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To delete a correlation alert rule:
- Navigate to the Log Management Alert Rules page, and then click Correlation.
- Click the trash icon ( ) on the correlation rule you want to delete.
- Click Delete.