Threat Manager alert rules
Alert Logic allows you to create protected hosts and appliances and receive alerts when your agent stops collecting, stops sending traffic, or when your assignment policy breaks.
Access Threat Manager alert rules
To access the Threat Manager Alert Rules page, click CONFIGURATION, click Network IDS, and then click Alert Rules.
Work with collection alert rules
Create and apply a collection alert rule
You can create a collection alert in the Alert Logic console to receive notifications if collection stops for any reason.
You must first create a collection alert and then apply the alert to the source.
- Navigate to the Network IDS Alert Rules page.
- Click the Add icon ().
- In Collection Alert Name, type a descriptive name.
- In Time Before Alert is Triggered, type a number value in minutes.
- In Time Between Alert Occurrences, type a number value in minutes.
You cannot specify a numeric value greater than 3,600.
- In Target Type, select Agent or Appliance.
- In Alert Type, select an option.
- If you selected Agent, select one of the options below.
- Collection indicates any issue that has interrupted the collection of network traffic, inclusive of all other available alert types.
- Error Status reflects an agent health state that requires some triage on behalf of the customer.
- Offline Status may be expected, but if not, it is a condition for which a user may be alerted.
- Assignment indicates a broken assignment policy error, such as an orphaned agent.
- If you selected Appliance, select one of the options below.
- Collection indicates any issue that has interrupted the collection of network traffic, inclusive of all other available alert types.
- Too many IP addresses assigned indicates that HOME_NET has run out of room to add more IPs/subnets.
- If you selected Agent, select one of the options below.
- In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma.
- Select Send Alert Once to receive alerts only once.
- Click Save.
Once you have created the collection alert, you need to apply this alert to a log source.
Update a collection alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To update a collection alert rule:
- Navigate to the Network IDS Alert Rules page.
- In the list of alert rules, click the pencil icon ( ) for the alert rule to edit.
- In Collection Alert Name, type a descriptive name.
- In Time Before Alert is Triggered, type a number value and select an interval.
- In Time Between Alert Occurrences, type a number value in minutes.
You cannot specify a numeric value greater than 3,600.
- In Target Type, select Agent or Appliance.
- In Alert Type, select an option.
- If you selected Agent, select one of the options below.
- Collection indicates that an issue has interrupted the collection of network traffic.
- Error Status reflects an agent health state that requires some triage on behalf of the customer.
- Offline Status may be expected, but if not, it is a condition for which a user may be alerted.
- Assignment indicates a broken assignment policy error, such as an orphaned agent.
- If you selected Appliance, select one of the options below.
- Collection indicates that an issue has interrupted the collection of network traffic.
- Too many IP addresses assigned indicates that HOME_NET has run out of room to add more IPs/subnets.
- If you selected Agent, select one of the options below.
- In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma.
- Select Send Alert Once to receive alerts only once.
- Click Update.
Delete a collection alert rule
If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.
To delete a collection alert rule:
- Navigate to the Network IDS Alert Rules page.
- Click the trash icon ( ) for the alert rule to delete.
- Click Delete.