Creating an Alert Profile

An alert is triggered whenever an event matching a specific criteria is generated. An alert profile lets you define such specific criteria, and also notify you by email, when the corresponding alert is triggered.

Creating a New Alert Profile

Click the New Alert Profile link to create a new alert profile. You can find this link on the sub tab below the main tabs, or in the Alerts box present on the left side navigation in the Alerts tab.

Provide an Alert Profile Name
Under Select Host/Group, you can select multiple hosts or groups of hosts from the list, if you want to create an alert profile for multiple hosts or a groups of hosts. This includes both default, and user-created host groups.

Alerts will not work for those listed hosts from which logs have been imported. You need to Add the host to EventLog Analyzer for alerts to work.

Under Define Criteria, choose Create Custom Alert Profile if you want to set alert criteria based on syslog log type.

If the Select Criteria is based on Severity & Message, then the following fields will be available for creating the alert profile.

Field	Description
Log Type	Select the log type of the event for which the alert has to be triggered. The log types that are listed depend on the platform of the host or host group selected. Click on More to add additional log type, you can add a maximum of 5 Log Type. Click on Remove to remove the log type.
Severity	Select the severity of the event for which the alert has to be triggered. Click on More to add additional severity, you can add a maximum of 5 severities. Click on Remove to remove the severity.
Log Message contains	If you want the alert to be triggered when an event with a specific event log message is generated, type the log message here. Use comma ',' to separate multiple log message texts.
Exclude	If you do not want the alert to be triggered when an event with a specific event log message is generated, type the log message here. Use comma ',' to separate multiple log message texts.
Number of occurrences	Enter the number of times the event has to be generated before triggering this alert.
Occurring within	Enter the time interval between events, in minutes, after which this alert should be triggered.

If the Select Criteria is based on Event ID, then the following fields will be available for creating the alert profile.

Field	Description
Log Type	Select the log type of the event for which the alert has to be triggered. The log types that are listed depend on the platform of the hosts or host groups selected.
Event ID	If you want the alert to be triggered for a particular Event ID, mention the Event ID here. Use comma ' , ' to separate multiple event id's. You can also specify range of event id's.
Log Message contains	If you want the alert to be triggered when an event with a specific event log message is generated, type the log message here. Use comma ',' to separate multiple log message texts.
Exclude	If you do not want the alert to be triggered when an event with a specific event log message is generated, type the log message here. Use comma ',' to separate multiple log message texts.
Number of occurrences	Enter the number of times the event has to be generated before triggering this alert.
Occurring within	Enter the time interval between events, in minutes, after which this alert should be triggered.

Choose Predefined Alert Profile if you want to set alert criteria based on predefined alerts.

Field	Description
Predefined Alert	Select the event description for which the alert has to be triggered. It is easier to identify an event by its description, which indicates what could be the reason the event was generated.
Severity / Event ID	Depending on the type of predefined alert selected, this field displays either the event severity or the event ID.
Log Type	The log type for the selected pre-defined alert is displayed.
Message	If you want the alert to be triggered when an event with a specific event log message is generated, type the log message here.
Number of occurrences	Enter the number of times the event has to be generated before triggering this alert.
Occurring within	Enter the time interval between events, in minutes, after which this alert should be triggered.

Choose Compliance Alert Profile if you want to set alert criteria based on compliance violation. Compliance alerts are available only for logs received from Windows host only.You can choose to be notified of HIPAA, GLBA, SOX, and PCI compliance violation by selecting the corresponding checkbox. Each of these compliance violations will be triggered for Failed Logon Attempts, Policy Changes, Account Changes, and Audit Logs Cleared based on the following criteria.

Field	Description
Number of occurrences	Enter the number of times the event has to be generated before triggering this alert.
Occurring within	Enter the time interval between events, in minutes, after which this alert should be triggered.

Under Define Actions, choose the Criticality. Criticality can be High, Medium, or Low. This is a value that you set for the alert, for your reference.

Choose the Notify by E-mail checkbox to receive an e-mail every time an alert matching this alert profile is triggered. Fill in the recipient e-mail address in the To box. Emails can be sent to more than one email address by separating the email addresses using a comma ' , '.

You will have to configure the Mail Server Settings in EventLog Analyzer before sending e-mails from the server.

Choose the Run Program checkbox to execute custom scripts when an alert is generated. Specify the location of the script in the Location field, and the parameters to be passed as arguments to the script in the Arguments field. The following details from the log can be passed as arguments to the script by clicking the appropriate option under Select Arguments.
- Source - Source of the log
- Hostname - Host generating the log
- Criticality - Criticality of the alert
Apart from this, you can also specify other arguments as required.
Finally click Add Alert Profile to save and activate this alert profile. Click Cancel to return to the previous page.