How to Create Alert Profile
To create an alert profile, use any one of the following menu options:
- Alerts> Alerts Profiles > +
- Settings tab > Alerts > Add
- +Add > Alert
Follow the given procedure to create an alert profile.
-
Enter a unique name for the alert profile
-
Assign criticality for the alerts generated using this profile. The options available are High, Medium, and Low
-
To generate the alert, select the specific host(s) and/or host groups(s)
-
Defining Alert Critieria
An alert criteria can be defined with a set of
- Predefined Alerts - sets up the alerts quickly based on already defined criteria
- Compliance Alerts - provides you with pre-defined compliance specific alert conditions that can be used to generate alerts.
- Custom Alerts - allows you to customize your own alert conditions based on log message, type and more. This also allows you to generate alerts for imported logs
Pre-defined Alerts
Select 'Predefined Alert' criteria from the 'Define Criteria' options
-
Select an alert criteria from the set of predefined alert conditions.
-
When a 'Predefined Alert' item is selected, the 'Severity'/ 'Event ID', 'Log Type', and 'Message' of the log are automatically populated and the fields are non-editable. Thus it helps in creating alert profiles in a jiffy.
-
If you want to exclude certain event id from the alert criteria, specify that event id in Exclude EventId field
-
To qualify the alerts and to reduce event noise, specify the 'Number of Occurrences' and 'Occurring within' (a time range) fields.
You can then specify the notification type for the alert profile
Compliance Alerts
- 'Compliance Type' field allows you to select specific compliance type like FISMA,PCI,HIPAA,SOX, GLBA and ISO 27001:2013 and generate alerts for the events like Failed Logon Attempts, Policy changes, Account Changes and Audit Logs Cleared
-
If you want to exclude certain event id from the alert criteria, specify that event id in Exclude EventId field
- Specify the 'Number of Occurrences' and 'Occurring within' (time period) to reduce the event noise
You can then specify the notification type for the alert profile created.
Note:
- In both Predefined and Compliance alert criteria options, EventLog Analyzer 9.0 allows you to specify Windows 2008 event ids in 'Severity/Event ID' and 'Exclude EventId' fields
- You can specify multiple event ids separated by comma
Custom Alerts
For defining the alert criteria in Custom Alerts profile, you will have two options - 'Basic' and 'Advanced'.
By default, Advanced options will be active. If you need to switch to the Basic options click on 'Back to Basic Options' link
'Advanced options' for defining alert criteria
-
With 'Advanced options', you can define 'n' number of criteria and group them with And/Or operations
-
To define the alert criteria,choose the attributes from the predefined list.
-
Specify the value for the attribute.Select the comparator and then provide the value for the attribute.
-
With simple drag and drop, you can group and ungroup the alert criteria
Generating Alerts for Imported Logs
With EventLog Analyzer's Advanced Custom Alert option, you can generate alerts for custom extracted fields for Oracle, MS SQL, Print Server, IIS and other imported application logs.
To generate alert for specific custom extracted field of imported log follow the below procedure,
-
Choose the 'LogType' and select the imported log for which you need to trigger alerts
-
Add another field and specify the custom field and its value, upon occurrence of which the alert has to be triggered. EventLog Analyzer will automatically populate all the custom extracted fields for the selected log type and you choose the field of your choice from the list and then specify the value for the selected custom field.
Note: To add multiple custom extracted fields, make use of '+' option
-
Specify the value for 'Number of Occurrences' and 'Occuring within' fields to reduce the event alert noise
You can then specify the notification type for the alert profile created.
'Basic options' for defining alert criteria
-
Specify the type of the log in the 'Log Type' field for which the alert is to be triggered. You can specify multiple log types using + option. In this case, alert will be triggered if the criteria matches for atleast any one of the log types.
You can also specify the alert criteria based on severity and event ID. If you choose to trigger an alert for a particular type of severity, specify it in the 'Severity' field. As in the case of 'Log type', you can specify multiple severity using the + option. Alternatively if you want to trigger an alert for particular Event IDs, then specify them in 'EventID' field. You can also use the EventID link, to choose the predefined messages and for which the event IDs will be automatically populated.
- Use the event filter criteria, to narrow down the alert conditions.
If you want to trigger an alert for the logs with particular message, then specify the message in the 'Log Message Contains' field. You can also exclude a part of this message,using the 'Except' field. Alerts will not be triggered for the logs containing the message specified in the 'Except' field.
If you want the alert to be triggered for a particular event source and user, then specify them in 'Event Source' and 'User' fields.
In the 'Exclude Event ID' field, specify the event IDs, which you want to exclude from alerting.
-
To further qualify the alert generation, you have 'Number of occurrences' and 'Occurring within' field.
-
Specify the alert qualifying fields
You can then specify the notification type for your alert profile.
Alert Notification & Remediation
EventLog Analyzer provides you with two alert notification mechanisms
Further, you can also remediate the alert condition by running a script
Settings to notify alert by Email
Enter the details required for sending alert notification using email.
-
Enter the email address(es). Enter multiple email addresses separated by comma (,)
-
Enter the subject line of the email notification. You can also append the alert argument(s) to the subject line. Select the arguments from the list
-
You can add notes to the email notification. The maximum limit of notes is 250 characters. This will be appended to email notification content
If mail server is not configured in EventLog Analyzer, you will be prompted to set it when Notify by Email option is selected
Settings to notify alert by SMS
Enter the details required for sending alert notification using SMS.
-
Enter the mobile number to which the SMS notification to be sent
-
Enter the message of the SMS notification. You can also append the alert argument(s) to the message. Select the arguments from the list
If SMS setting is not configured in EventLog Analyzer, you will be prompted to set it when Notify by SMS option is selected
Settings to notify alert by Run Program
Enter the details required for running a script or program when the alert notification is triggered.
-
Enter the name of the script file with location in the EventLog Analyzer client machine. Alternatively, use the Browse button to select the script file
-
Specify the alert argument(s) to be passed to the script. Select the arguments from the list. The listed arguments are, source of the log, host generating the log, and the criticality of the alert
After Defining Alert Criteria, specifying the notification method, click on the Add Alert Profile button to complete the alert profile creation. The created alert profile will be listed in the Alert Profile Details screen. Created profiles can be enabled, disabled, modified, or deleted from the list
